0b6e8348423049536a26437794b79fb46889acd18f4337fb5f699de8c053a049

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d686fe54ea3e3b495fde0f7ca729d87e.exe
Size

907KB
MD5

d686fe54ea3e3b495fde0f7ca729d87e
SHA1

d77e8fe96ad56cceafb146d8da784e6e7ff5297b
SHA256

0b6e8348423049536a26437794b79fb46889acd18f4337fb5f699de8c053a049
SHA512

0c7d1598ea12439de8e91184f5b2b3103bcfa5f28576f78ecf16b920cbcd4d47d91ee47d8504de413c75932d0ff1f6669668ae6d7ab360e19c9fe8d708fc5565
SSDEEP

24576:IVrQ7QpsYW64z43g9OBRmFBhHGeAxIxNZZOMblnQha/ZS1:AQ7QG64z43g9OfobHGTxIxNZcMggS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1408	d686fe54ea3e3b495fde0f7ca729d87e.exe

Executes dropped EXE 1 IoCs

pid	Process
1408	d686fe54ea3e3b495fde0f7ca729d87e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
11	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1276	d686fe54ea3e3b495fde0f7ca729d87e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1276	d686fe54ea3e3b495fde0f7ca729d87e.exe
1408	d686fe54ea3e3b495fde0f7ca729d87e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1408	1276	d686fe54ea3e3b495fde0f7ca729d87e.exe	90
PID 1276 wrote to memory of 1408	1276	d686fe54ea3e3b495fde0f7ca729d87e.exe	90
PID 1276 wrote to memory of 1408	1276	d686fe54ea3e3b495fde0f7ca729d87e.exe	90

C:\Users\Admin\AppData\Local\Temp\d686fe54ea3e3b495fde0f7ca729d87e.exe
"C:\Users\Admin\AppData\Local\Temp\d686fe54ea3e3b495fde0f7ca729d87e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\d686fe54ea3e3b495fde0f7ca729d87e.exe
  C:\Users\Admin\AppData\Local\Temp\d686fe54ea3e3b495fde0f7ca729d87e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d686fe54ea3e3b495fde0f7ca729d87e.exe

Filesize
907KB

MD5
a69fc8098ec181faf4a638efc4ef22b1

SHA1
b803819393eac59249ad06ac1f41d26fd97e9ce4

SHA256
be6e691d2534ff833dbf863c40a8aec49cd7d4ea989a7fb87ff01ab936a63c99

SHA512
79d244e5d77fe477fbc927500c7054a81b70d3217811705db5c00be2417bd28e8de24be8ab22041410602e9d813dd00688296c8e2c13510d0079f856fd9c09d7

Download Submit
memory/1276-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1276-1-0x0000000001680000-0x0000000001768000-memory.dmp

Filesize
928KB

Download
memory/1276-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1276-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1408-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1408-17-0x0000000001680000-0x0000000001768000-memory.dmp

Filesize
928KB

Download
memory/1408-21-0x00000000051B0000-0x000000000526B000-memory.dmp

Filesize
748KB

Download
memory/1408-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1408-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1408-37-0x000000000D850000-0x000000000D8E8000-memory.dmp

Filesize
608KB

Download