54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 21:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe
Size

1.2MB
MD5

0ddf5d5f411f78f2624e779f2a623ebf
SHA1

b31ca286cc5da3f55fd1d4888413bf1aa9e4f4e2
SHA256

54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190
SHA512

1d9e0a29bc067550e12058dee234db38e811628912173ff99f012e0edd099d6602fd76adcb28e8257288238bbf282169a18a8194c5869646db7bddffaac0ea24
SSDEEP

24576:CnmqdDh3y4o8yPG3bnNBCiuB4Sa/ZSya/JXk377Lv+f6T8KBGKXu/B:4TfU84crN4gxg23bnBGKXu/B

Score

9^/10

Malware Config

Signatures

Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs

resource	yara_rule
behavioral1/memory/2468-10-0x0000000000400000-0x00000000004A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2468-38-0x000000000FF50000-0x000000000FFF3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Deletes itself 1 IoCs

pid	Process
2468	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Executes dropped EXE 1 IoCs

pid	Process
2468	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Loads dropped DLL 1 IoCs

pid	Process
3036	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2468	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3036	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2468	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2468	3036	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe	29
PID 3036 wrote to memory of 2468	3036	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe	29
PID 3036 wrote to memory of 2468	3036	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe	29
PID 3036 wrote to memory of 2468	3036	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe	29

C:\Users\Admin\AppData\Local\Temp\54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe
"C:\Users\Admin\AppData\Local\Temp\54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe
  C:\Users\Admin\AppData\Local\Temp\54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Filesize
1.2MB

MD5
7211b45ce3d81d5592d5fb2325980893

SHA1
58ba130e4a3e1d753635fdc989e672ad0f922ef4

SHA256
f6b8b4241bdcf40f4dad623043baf6497de1e5532a1ef3c23a703758ac878ac2

SHA512
83592221a70d7c7798d0c1c28ea899c31c3d7508478c7a1976499908698524c1861ac9e3c8659f0c91a69124a015b2e91956d3d247410a7f8abcbaa5e3837b33

Download Submit
memory/2468-9-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2468-16-0x0000000002D40000-0x0000000002E54000-memory.dmp

Filesize
1.1MB

Download
memory/2468-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2468-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-38-0x000000000FF50000-0x000000000FFF3000-memory.dmp

Filesize
652KB

Download
memory/2468-39-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3036-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3036-7-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download