553e67e00ebbeff3287456d56543f9330f1a26cd4f72469dbf05b55c77d8a6ff

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6cd8b2090825126ca8e7e441f75d650.exe
Size

771KB
MD5

d6cd8b2090825126ca8e7e441f75d650
SHA1

481823f238d6ced866619019923590f0c6036f7b
SHA256

553e67e00ebbeff3287456d56543f9330f1a26cd4f72469dbf05b55c77d8a6ff
SHA512

83762016994e40493274ad50d8c9626622b8567e4c78af5ff42e5743afef6092e8fa0215ba1236bfb6f15464ce2f65dfa01b747a93485561659d92f9f1f81858
SSDEEP

24576:IiVkP1MetdElJDWAxYe/ZWb10hJaothZ2/T6FBBB:IiVkdjdElsNe/ZQ/ofT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3696	d6cd8b2090825126ca8e7e441f75d650.exe

Executes dropped EXE 1 IoCs

pid	Process
3696	d6cd8b2090825126ca8e7e441f75d650.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
8	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2940	d6cd8b2090825126ca8e7e441f75d650.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3696	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2940	d6cd8b2090825126ca8e7e441f75d650.exe
3696	d6cd8b2090825126ca8e7e441f75d650.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 3696	2940	d6cd8b2090825126ca8e7e441f75d650.exe	89
PID 2940 wrote to memory of 3696	2940	d6cd8b2090825126ca8e7e441f75d650.exe	89
PID 2940 wrote to memory of 3696	2940	d6cd8b2090825126ca8e7e441f75d650.exe	89

C:\Users\Admin\AppData\Local\Temp\d6cd8b2090825126ca8e7e441f75d650.exe
"C:\Users\Admin\AppData\Local\Temp\d6cd8b2090825126ca8e7e441f75d650.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\d6cd8b2090825126ca8e7e441f75d650.exe
  C:\Users\Admin\AppData\Local\Temp\d6cd8b2090825126ca8e7e441f75d650.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3696

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
aeafa2d17142e75435398d1bdfd5ca91

SHA1
337ad7d5eac17d4d507657e3986a302800e4d194

SHA256
c5b4f7e58def3406384411396c145384fadffa103028bc6c02682accb0514a3f

SHA512
36228dd59e0f76f9c2b13762afb1acaae5baac1c7aa0d50ac5122a65195ad47f80be9d6383b438848e616d9311d094ed9e3aaa1b331ad1c7efac2480d94224cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6cd8b2090825126ca8e7e441f75d650.exe

Filesize
771KB

MD5
bcdcd273675de521206310cca5d18186

SHA1
b92bb74b265dd6b7c30012ccfb57c915e9e8cf32

SHA256
eeff2d2d09793aa6b353106e672c39373e11c4d8d72a606cf1ef38e8de622ff9

SHA512
f83c0c07da424b54d940c6da596903a4b60a39f44fe8db9b6e109d5c74e108b9eb17063615bd16ca7444ed1a62e5e90a1f7f0cb277b1313390257b0d98a8a194

Download Submit
memory/2940-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2940-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2940-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2940-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3696-39-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/3696-72-0x0000029FCAEC0000-0x0000029FCAEC1000-memory.dmp

Filesize
4KB

Download
memory/3696-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3696-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3696-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3696-38-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/3696-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3696-40-0x0000029FC2840000-0x0000029FC2850000-memory.dmp

Filesize
64KB

Download
memory/3696-56-0x0000029FC2940000-0x0000029FC2950000-memory.dmp

Filesize
64KB

Download
memory/3696-20-0x00000000015F0000-0x000000000164F000-memory.dmp

Filesize
380KB

Download
memory/3696-73-0x0000029FCAEF0000-0x0000029FCAEF1000-memory.dmp

Filesize
4KB

Download
memory/3696-74-0x0000029FCAEF0000-0x0000029FCAEF1000-memory.dmp

Filesize
4KB

Download
memory/3696-75-0x0000029FCAEF0000-0x0000029FCAEF1000-memory.dmp

Filesize
4KB

Download
memory/3696-76-0x0000029FCAEF0000-0x0000029FCAEF1000-memory.dmp

Filesize
4KB

Download
memory/3696-77-0x0000029FCAEF0000-0x0000029FCAEF1000-memory.dmp

Filesize
4KB

Download
memory/3696-78-0x0000029FCAEF0000-0x0000029FCAEF1000-memory.dmp

Filesize
4KB

Download
memory/3696-79-0x0000029FCAEF0000-0x0000029FCAEF1000-memory.dmp

Filesize
4KB

Download
memory/3696-80-0x0000029FCAEF0000-0x0000029FCAEF1000-memory.dmp

Filesize
4KB

Download
memory/3696-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download