bcae6a5e4cdaa1a731ca5e5f6cd1105c07223800dda58153a25ef2a9bb4be8a8

General

Target

3ac1362a4fbc0662f9f772d5f20d73c8.exe
Size

506KB
MD5

3ac1362a4fbc0662f9f772d5f20d73c8
SHA1

dbc064e911bb1ec7df5f8b88a675a2d777edff1e
SHA256

bcae6a5e4cdaa1a731ca5e5f6cd1105c07223800dda58153a25ef2a9bb4be8a8
SHA512

f51b7603e99e7e3ecf7161c486d77d19cdbad4d2135c9ce6f98c180ff38415e56333aef3ff20216e7aec589fdb872629d36f52fa9f094063400915d7151de849
SSDEEP

12288:zvEaoNfAp4MJzgvMjfuj8XWyXeEvFS1SvCo:z8Yp4s9uj8GyXeiSVo

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2628	3ac1362a4fbc0662f9f772d5f20d73c8.exe

Executes dropped EXE 1 IoCs

pid	Process
2628	3ac1362a4fbc0662f9f772d5f20d73c8.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	3ac1362a4fbc0662f9f772d5f20d73c8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2628	3ac1362a4fbc0662f9f772d5f20d73c8.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2628	3ac1362a4fbc0662f9f772d5f20d73c8.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2908	3ac1362a4fbc0662f9f772d5f20d73c8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2908	3ac1362a4fbc0662f9f772d5f20d73c8.exe
2628	3ac1362a4fbc0662f9f772d5f20d73c8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2628	2908	3ac1362a4fbc0662f9f772d5f20d73c8.exe	30
PID 2908 wrote to memory of 2628	2908	3ac1362a4fbc0662f9f772d5f20d73c8.exe	30
PID 2908 wrote to memory of 2628	2908	3ac1362a4fbc0662f9f772d5f20d73c8.exe	30
PID 2908 wrote to memory of 2628	2908	3ac1362a4fbc0662f9f772d5f20d73c8.exe	30
PID 2628 wrote to memory of 2668	2628	3ac1362a4fbc0662f9f772d5f20d73c8.exe	31
PID 2628 wrote to memory of 2668	2628	3ac1362a4fbc0662f9f772d5f20d73c8.exe	31
PID 2628 wrote to memory of 2668	2628	3ac1362a4fbc0662f9f772d5f20d73c8.exe	31
PID 2628 wrote to memory of 2668	2628	3ac1362a4fbc0662f9f772d5f20d73c8.exe	31

C:\Users\Admin\AppData\Local\Temp\3ac1362a4fbc0662f9f772d5f20d73c8.exe
"C:\Users\Admin\AppData\Local\Temp\3ac1362a4fbc0662f9f772d5f20d73c8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\3ac1362a4fbc0662f9f772d5f20d73c8.exe
  C:\Users\Admin\AppData\Local\Temp\3ac1362a4fbc0662f9f772d5f20d73c8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\3ac1362a4fbc0662f9f772d5f20d73c8.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2668

Network

DNS

www.Ecg4sH89NV.com

3ac1362a4fbc0662f9f772d5f20d73c8.exe

Remote address:

8.8.8.8:53

Request

www.Ecg4sH89NV.com

IN A

Response
DNS

w.google.com

3ac1362a4fbc0662f9f772d5f20d73c8.exe

Remote address:

8.8.8.8:53

Request

w.google.com

IN A

Response

w.google.com

IN CNAME

www3.l.google.com

www3.l.google.com

IN A

142.250.200.46
GET

http://w.google.com/

3ac1362a4fbc0662f9f772d5f20d73c8.exe

Remote address:

142.250.200.46:80

Request

GET / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*, ???@, ??????????????
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: w.google.com

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Content-Length: 1561
Date: Wed, 10 Jan 2024 22:55:26 GMT
DNS

pastebin.com

3ac1362a4fbc0662f9f772d5f20d73c8.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.68.143

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.67.143
GET

http://pastebin.com/raw/ubFNTPjt

3ac1362a4fbc0662f9f772d5f20d73c8.exe

Remote address:

104.20.68.143:80

Request

GET /raw/ubFNTPjt HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*, ???@, ??????????????
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: pastebin.com

Response

HTTP/1.1 301 Moved Permanently

Date: Wed, 10 Jan 2024 22:55:32 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Wed, 10 Jan 2024 23:55:32 GMT
Location: https://pastebin.com/raw/ubFNTPjt
Server: cloudflare
CF-RAY: 84388215eca8d174-LHR
GET

https://pastebin.com/raw/ubFNTPjt

3ac1362a4fbc0662f9f772d5f20d73c8.exe

Remote address:

104.20.68.143:443

Request

GET /raw/ubFNTPjt HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*, ???@, ??????????????
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: pastebin.com

Response

HTTP/1.1 404 Not Found

Date: Wed, 10 Jan 2024 22:55:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-frame-options: DENY
x-content-type-options: nosniff
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 1763
Server: cloudflare
CF-RAY: 84388236ce1448c7-LHR

142.250.200.46:80

http://w.google.com/

http

3ac1362a4fbc0662f9f772d5f20d73c8.exe

462 B
1.9kB
5
4

HTTP Request

GET http://w.google.com/

HTTP Response

404
104.20.68.143:80

http://pastebin.com/raw/ubFNTPjt

http

3ac1362a4fbc0662f9f772d5f20d73c8.exe

862 B
476 B
8
4

HTTP Request

GET http://pastebin.com/raw/ubFNTPjt

HTTP Response

301
104.20.68.143:443

https://pastebin.com/raw/ubFNTPjt

tls, http

3ac1362a4fbc0662f9f772d5f20d73c8.exe

935 B
5.1kB
9
9

HTTP Request

GET https://pastebin.com/raw/ubFNTPjt

HTTP Response

404

8.8.8.8:53

www.Ecg4sH89NV.com

dns

3ac1362a4fbc0662f9f772d5f20d73c8.exe

64 B
137 B
1
1

DNS Request

www.Ecg4sH89NV.com
8.8.8.8:53

w.google.com

dns

3ac1362a4fbc0662f9f772d5f20d73c8.exe

58 B
95 B
1
1

DNS Request

w.google.com

DNS Response

142.250.200.46
8.8.8.8:53

pastebin.com

dns

3ac1362a4fbc0662f9f772d5f20d73c8.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.68.143

172.67.34.170

104.20.67.143

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab2E43.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar36DE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\3ac1362a4fbc0662f9f772d5f20d73c8.exe

Filesize
506KB

MD5
366057a67203aebc6cb58c4d01e0de72

SHA1
59bc15f14c05a065f43ce125971c5f7382c70c0a

SHA256
8bfb5c355c2fedaea00a2c3d6466c93d9d310ec0abe5b3fd66ca4c9191cf905c

SHA512
832c5df7eb05846fe2fbe2dd44d7acf1b0c1f016087240733726d6eadcd8569128289c84d45d4742283496d082d6826ad7af7d4fde732e35ae08a03b88277b15

Download Submit
memory/2628-18-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2628-20-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/2628-27-0x0000000002E50000-0x0000000002ECE000-memory.dmp

Filesize
504KB

Download
memory/2628-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2628-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2908-13-0x0000000002F10000-0x0000000002F93000-memory.dmp

Filesize
524KB

Download
memory/2908-15-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2908-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2908-2-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download
memory/2908-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.