32eb2e3a1ec6b081d9c6fcfa52caf41e81b0b55dd7372d0caa39ecfd42f837e2

Analysis

max time kernel
164s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe
Size

385KB
MD5

df3b9490e67ed0bc6d3b2dc7dfeeb06b
SHA1

a7d6ef316f36b2752d74c34323b70e44fafadc78
SHA256

32eb2e3a1ec6b081d9c6fcfa52caf41e81b0b55dd7372d0caa39ecfd42f837e2
SHA512

3622e010fbe80e947678e415e61f022925eebf5392cc818f1a47604f2075432ebcc4fa784d7c9d2f1367d6b7f54b61cb6c94b70bf1b91aee1088a4c77da2ebcd
SSDEEP

12288:NdCwIxTCG/XBV5rKQroUIxrNW9TeHONzC9s/B:No7ZXB/KQroUI6TecR/B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4712	df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe

Executes dropped EXE 1 IoCs

pid	Process
4712	df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
11	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4880	df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4880	df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe
4712	df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4712	4880	df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe	96
PID 4880 wrote to memory of 4712	4880	df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe	96
PID 4880 wrote to memory of 4712	4880	df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe	96

C:\Users\Admin\AppData\Local\Temp\df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe
"C:\Users\Admin\AppData\Local\Temp\df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe
  C:\Users\Admin\AppData\Local\Temp\df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:8
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\df3b9490e67ed0bc6d3b2dc7dfeeb06b.exe

Filesize
385KB

MD5
4093489ac7f77b10815b87537496ab52

SHA1
9f18bb13bbabb8b3a15456096c778e91cb2d14f4

SHA256
c2adaf00914187e86b77c789167c8340bf1b0faacbdd0094e18faf7aceff6a0d

SHA512
60e925e0429535d7c26ecaa27cce12f6f04a8829ca0168f4f4c81b55e1d6666342addb0b8c8f8eee90c49b53423d3d0bfa58aaccb88afb841c8d2399f00ab604

Download Submit
memory/4712-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4712-15-0x00000000015D0000-0x0000000001636000-memory.dmp

Filesize
408KB

Download
memory/4712-20-0x0000000004ED0000-0x0000000004F2F000-memory.dmp

Filesize
380KB

Download
memory/4712-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4712-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4712-36-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/4712-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4880-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4880-1-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/4880-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4880-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download