1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe
Size

386KB
MD5

0c4043a9a9efff20810530fd0cad91d7
SHA1

ca3adc7e4f1a027a2969749ccd5e2c1b06b88162
SHA256

1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc
SHA512

e5cb239c051ad141a56ca464be8068cebdc58029e39bc2d31495b27a5267604748f590397c2269d01b42f07af5a8840c8d3b339f4f042db165bd9c023a332d17
SSDEEP

12288:J6zu3pBE2tnPIuE2nGewVMGrNRdb2KZkfgV3:Izu3pBE2tnP3nGBeGHkKZkO

Score

9^/10

Malware Config

Signatures

Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs

resource	yara_rule
behavioral2/memory/4972-5-0x0000000000400000-0x0000000000408000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Detects executables packed with or use KoiVM 1 IoCs

resource	yara_rule
behavioral2/memory/4084-4-0x0000021A6B330000-0x0000021A6B38E000-memory.dmp	INDICATOR_EXE_Packed_KoiVM

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4084 set thread context of 4972	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	88

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	regsvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 2768	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	87
PID 4084 wrote to memory of 2768	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	87
PID 4084 wrote to memory of 2768	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	87
PID 4084 wrote to memory of 4972	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	88
PID 4084 wrote to memory of 4972	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	88
PID 4084 wrote to memory of 4972	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	88
PID 4084 wrote to memory of 4972	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	88
PID 4084 wrote to memory of 4972	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	88
PID 4084 wrote to memory of 4972	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	88
PID 4084 wrote to memory of 4972	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	88
PID 4084 wrote to memory of 4972	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	88
PID 4084 wrote to memory of 456	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	89
PID 4084 wrote to memory of 456	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	89
PID 4084 wrote to memory of 456	4084	1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe	89

C:\Users\Admin\AppData\Local\Temp\1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe
"C:\Users\Admin\AppData\Local\Temp\1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4084-0-0x0000021A50E60000-0x0000021A50E6A000-memory.dmp

Filesize
40KB

Download
memory/4084-1-0x00007FF896300000-0x00007FF896DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-2-0x0000021A51300000-0x0000021A51310000-memory.dmp

Filesize
64KB

Download
memory/4084-4-0x0000021A6B330000-0x0000021A6B38E000-memory.dmp

Filesize
376KB

Download
memory/4084-3-0x0000021A6B2C0000-0x0000021A6B2CA000-memory.dmp

Filesize
40KB

Download
memory/4084-8-0x00007FF896300000-0x00007FF896DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4972-6-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/4972-7-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/4972-9-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/4972-10-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download