8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3

Analysis

max time kernel
146s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 09:32

Target

a3d607292f456d782622bdf10ddcaa72.exe
Size

389KB
MD5

a3d607292f456d782622bdf10ddcaa72
SHA1

e21e9ec6bc6234993591cd2034a019af59e98071
SHA256

8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3
SHA512

147401e381e5ec0a539cc7272721fd0893c6a603b64217539cef925579c32b9be6cd981b68cfbf6a5f484dddc50ddc9c3195172ce00524301206cbb6786df76e
SSDEEP

6144:hjuZSWCTeEVTAHT6HPqHr3aUb/memWBFU/iBHZGI3XCjA77lyJkJZVKM:hjtXVTAHyc3f/U6OiJZhXCsdyJ6ZVKM

Score

6^/10

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

3 pastebin.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

a3d607292f456d782622bdf10ddcaa72.exe

description pid process target process

PID 4416 set thread context of 3932 4416 a3d607292f456d782622bdf10ddcaa72.exe regasm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regasm.exe

description pid process

Token: SeDebugPrivilege 3932 regasm.exe

flow	ioc
3	pastebin.com

description	pid	process	target process
PID 4416 set thread context of 3932	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe

description	pid	process
Token: SeDebugPrivilege	3932	regasm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a3d607292f456d782622bdf10ddcaa72.exe

description	pid	process	target process
PID 4416 wrote to memory of 3932	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe
PID 4416 wrote to memory of 3932	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe
PID 4416 wrote to memory of 3932	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe
PID 4416 wrote to memory of 3932	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe
PID 4416 wrote to memory of 3932	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe
PID 4416 wrote to memory of 3932	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe
PID 4416 wrote to memory of 3932	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe
PID 4416 wrote to memory of 3932	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe
PID 4416 wrote to memory of 1676	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe
PID 4416 wrote to memory of 1676	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe
PID 4416 wrote to memory of 1676	4416	a3d607292f456d782622bdf10ddcaa72.exe	regasm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
PID:1676

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

memory/3932-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3932-6-0x0000000074350000-0x0000000074B00000-memory.dmp

Filesize
7.7MB

Download
memory/3932-7-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/3932-9-0x0000000074350000-0x0000000074B00000-memory.dmp

Filesize
7.7MB

Download
memory/3932-10-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/4416-0-0x0000022E65D90000-0x0000022E65D9C000-memory.dmp

Filesize
48KB

Download
memory/4416-1-0x00007FFF86930000-0x00007FFF873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-2-0x0000022E00470000-0x0000022E00480000-memory.dmp

Filesize
64KB

Download
memory/4416-4-0x0000022E003D0000-0x0000022E0042C000-memory.dmp

Filesize
368KB

Download
memory/4416-3-0x0000022E00360000-0x0000022E0036C000-memory.dmp

Filesize
48KB

Download
memory/4416-8-0x00007FFF86930000-0x00007FFF873F1000-memory.dmp

Filesize
10.8MB

Download