e860d132aa3ac7b9ae67948dee6e02bde2397576fd4e711584cfd915c3eadb3e

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d60fc66bffb1f4ed33a99615425d16de.exe
Size

771KB
MD5

d60fc66bffb1f4ed33a99615425d16de
SHA1

8a9df8480526f53866e6314dff65b4c7f2561f73
SHA256

e860d132aa3ac7b9ae67948dee6e02bde2397576fd4e711584cfd915c3eadb3e
SHA512

a2b996d8da3acb47dcb0a1cfa38902a79ba4fa9920ee65d3d25b88e6a0987fb373b423d46307b5f756ac4e116db24b8863786d5a5ca7014f9e3a751cbf843037
SSDEEP

24576:0Y6hJBMu1ClDJct0Mb10hJaothZ2/T6FBBB:0xJBt1CDg/ofT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1144	d60fc66bffb1f4ed33a99615425d16de.exe

Executes dropped EXE 1 IoCs

pid	Process
1144	d60fc66bffb1f4ed33a99615425d16de.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4916	d60fc66bffb1f4ed33a99615425d16de.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4916	d60fc66bffb1f4ed33a99615425d16de.exe
1144	d60fc66bffb1f4ed33a99615425d16de.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 1144	4916	d60fc66bffb1f4ed33a99615425d16de.exe	89
PID 4916 wrote to memory of 1144	4916	d60fc66bffb1f4ed33a99615425d16de.exe	89
PID 4916 wrote to memory of 1144	4916	d60fc66bffb1f4ed33a99615425d16de.exe	89

C:\Users\Admin\AppData\Local\Temp\d60fc66bffb1f4ed33a99615425d16de.exe
"C:\Users\Admin\AppData\Local\Temp\d60fc66bffb1f4ed33a99615425d16de.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\d60fc66bffb1f4ed33a99615425d16de.exe
  C:\Users\Admin\AppData\Local\Temp\d60fc66bffb1f4ed33a99615425d16de.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d60fc66bffb1f4ed33a99615425d16de.exe

Filesize
771KB

MD5
a48d5f7c83679fb48cd4ddaf00c693e4

SHA1
2ca0d63ef196748bcd8b5217ddd7032421d7c0ea

SHA256
71c75fad8bce3f99c89152d7f87a780df3d52a3fdf47a4542893c371af6f633e

SHA512
7147fa0f223b712556cd8a5396f8e0b0233db8c2758e78bcbd0ab15db7dbe9c020ab381b8c3953928e1e9085e5fab9745e56a418c25adeef0e4437e3084879e5

Download Submit
memory/1144-14-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/1144-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1144-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1144-21-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/1144-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1144-34-0x000000000B600000-0x000000000B63C000-memory.dmp

Filesize
240KB

Download
memory/1144-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4916-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4916-1-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/4916-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4916-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download