Analysis
-
max time kernel
144s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 16:09
Static task
static1
Behavioral task
behavioral1
Sample
e2137d3cec69228f87df6cd4d33aa1ad.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2137d3cec69228f87df6cd4d33aa1ad.exe
Resource
win10v2004-20240226-en
General
-
Target
e2137d3cec69228f87df6cd4d33aa1ad.exe
-
Size
385KB
-
MD5
e2137d3cec69228f87df6cd4d33aa1ad
-
SHA1
6ad3b5740f00d161e58f8451309b4ca02c343fe3
-
SHA256
608cfa38851fec23946f038a561b3bc74d92f78f1ce7bdbf7f34efe101703e09
-
SHA512
c42fbf347e8701087bd46352a2d636ec4aa1e92abfd8da0f53ab4506b7e454959ecf5250342e839768e53becc66ab4c9de26ad2e6ade1b60ba7c341fa57a654f
-
SSDEEP
6144:nUfGfv3cKCr6uubys21OWIplM8MKSCXsxjXWhBIDojCD3amg2nDVYbLOqOInB:Vt01VT8SCSjXWbeoY3amRnZYeqOoB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2888 e2137d3cec69228f87df6cd4d33aa1ad.exe -
Executes dropped EXE 1 IoCs
pid Process 2888 e2137d3cec69228f87df6cd4d33aa1ad.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 22 pastebin.com 30 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3568 e2137d3cec69228f87df6cd4d33aa1ad.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3568 e2137d3cec69228f87df6cd4d33aa1ad.exe 2888 e2137d3cec69228f87df6cd4d33aa1ad.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3568 wrote to memory of 2888 3568 e2137d3cec69228f87df6cd4d33aa1ad.exe 90 PID 3568 wrote to memory of 2888 3568 e2137d3cec69228f87df6cd4d33aa1ad.exe 90 PID 3568 wrote to memory of 2888 3568 e2137d3cec69228f87df6cd4d33aa1ad.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2137d3cec69228f87df6cd4d33aa1ad.exe"C:\Users\Admin\AppData\Local\Temp\e2137d3cec69228f87df6cd4d33aa1ad.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\e2137d3cec69228f87df6cd4d33aa1ad.exeC:\Users\Admin\AppData\Local\Temp\e2137d3cec69228f87df6cd4d33aa1ad.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5750a29129d6ea00fea0d683cb744e5c2
SHA113e657dc6dd9ed2b2d97ccd050a622accbf32a4e
SHA256ac25b0739d2973a02776e6db6f15ccd289dbbb87f895f749b1fb8b07d08223ff
SHA512af17a138e32025e0251a48f2b1d5f77e827342c2576bd1a89bbb0415eeb9b6fe2cac8c56ab098d05af0bcf2a780ad54dca4ba1eeb80e19b49931079473088fc5