b8beb089f369ffc86f76b1700d8938adeff41c6535770c3899ac113ed644fac3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0647ad5202ed4a2b09a10b71e185f52.exe
Size

1.5MB
MD5

e0647ad5202ed4a2b09a10b71e185f52
SHA1

cbbd5e8b046533cd2369e7c957933af84c56eec3
SHA256

b8beb089f369ffc86f76b1700d8938adeff41c6535770c3899ac113ed644fac3
SHA512

eafd0e7ffd95f2ee783ed5cf987ef1d904931df295de699e20e7da203874f56be0b9218d858e32adbd30e0470d556af03287cb991d96842271e1cb3d6b2564fd
SSDEEP

24576:uDwxnIsBgIBtD65b10hJaothZ2/T6FBBjNPI5lqkfZSkHR82b10hJaothZ2/T6FP:eUIW5Bta/ofqg4/ofp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1592	e0647ad5202ed4a2b09a10b71e185f52.exe

Executes dropped EXE 1 IoCs

pid	Process
1592	e0647ad5202ed4a2b09a10b71e185f52.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4780	e0647ad5202ed4a2b09a10b71e185f52.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4780	e0647ad5202ed4a2b09a10b71e185f52.exe
1592	e0647ad5202ed4a2b09a10b71e185f52.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 1592	4780	e0647ad5202ed4a2b09a10b71e185f52.exe	87
PID 4780 wrote to memory of 1592	4780	e0647ad5202ed4a2b09a10b71e185f52.exe	87
PID 4780 wrote to memory of 1592	4780	e0647ad5202ed4a2b09a10b71e185f52.exe	87

C:\Users\Admin\AppData\Local\Temp\e0647ad5202ed4a2b09a10b71e185f52.exe
"C:\Users\Admin\AppData\Local\Temp\e0647ad5202ed4a2b09a10b71e185f52.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\e0647ad5202ed4a2b09a10b71e185f52.exe
  C:\Users\Admin\AppData\Local\Temp\e0647ad5202ed4a2b09a10b71e185f52.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e0647ad5202ed4a2b09a10b71e185f52.exe

Filesize
1.5MB

MD5
d28dea40760a834a7f21c295acc0bef8

SHA1
01dc1c3d5194e6898eb89d76dad35f3b215e2e79

SHA256
26fa508504c718a1b8948bd09b64614b3f6196be068a52d0fb3128d41936b47b

SHA512
eeb9e6394da28c59642e86bb7569c29e91eddedbcb0b1ad6e6b74e51f5638fc4914a92ba6e55637e62aa68a5b1e65a071119595e52a4ad1f5e8432f62c80a396

Download Submit
memory/1592-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1592-15-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/1592-20-0x0000000004EB0000-0x0000000004F0F000-memory.dmp

Filesize
380KB

Download
memory/1592-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1592-37-0x000000000C620000-0x000000000C65C000-memory.dmp

Filesize
240KB

Download
memory/1592-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4780-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4780-1-0x0000000001620000-0x0000000001686000-memory.dmp

Filesize
408KB

Download
memory/4780-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4780-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download