Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 03:46
Static task
static1
Behavioral task
behavioral1
Sample
764e238f5dc4e60e03148c6ce122d2f6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
764e238f5dc4e60e03148c6ce122d2f6.exe
Resource
win10v2004-20231215-en
General
-
Target
764e238f5dc4e60e03148c6ce122d2f6.exe
-
Size
1000KB
-
MD5
764e238f5dc4e60e03148c6ce122d2f6
-
SHA1
dc392796b82ae74786e0c54922dc51a4f5392887
-
SHA256
e7bfea95068ae18b9056771c4f348803259a07d0e4c4f3592803fa2810ec373c
-
SHA512
227caaf5a03e57fd1642097f493d70a259e3f9303d776354a9fe04fe523375223eff2a0203829e9e20e1734af868cf778bf3a53a237fcd69604190b12ecec996
-
SSDEEP
24576:rS/T17m6rdVG2qlAgGKYOD3xDV1B+5vMiqt0gj2ed:oqWpqlAgGlODBDZqOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1744 764e238f5dc4e60e03148c6ce122d2f6.exe -
Executes dropped EXE 1 IoCs
pid Process 1744 764e238f5dc4e60e03148c6ce122d2f6.exe -
Loads dropped DLL 1 IoCs
pid Process 1212 764e238f5dc4e60e03148c6ce122d2f6.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 pastebin.com 7 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1744 764e238f5dc4e60e03148c6ce122d2f6.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2624 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1744 764e238f5dc4e60e03148c6ce122d2f6.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1212 764e238f5dc4e60e03148c6ce122d2f6.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1212 764e238f5dc4e60e03148c6ce122d2f6.exe 1744 764e238f5dc4e60e03148c6ce122d2f6.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1744 1212 764e238f5dc4e60e03148c6ce122d2f6.exe 28 PID 1212 wrote to memory of 1744 1212 764e238f5dc4e60e03148c6ce122d2f6.exe 28 PID 1212 wrote to memory of 1744 1212 764e238f5dc4e60e03148c6ce122d2f6.exe 28 PID 1212 wrote to memory of 1744 1212 764e238f5dc4e60e03148c6ce122d2f6.exe 28 PID 1744 wrote to memory of 2624 1744 764e238f5dc4e60e03148c6ce122d2f6.exe 29 PID 1744 wrote to memory of 2624 1744 764e238f5dc4e60e03148c6ce122d2f6.exe 29 PID 1744 wrote to memory of 2624 1744 764e238f5dc4e60e03148c6ce122d2f6.exe 29 PID 1744 wrote to memory of 2624 1744 764e238f5dc4e60e03148c6ce122d2f6.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\764e238f5dc4e60e03148c6ce122d2f6.exe"C:\Users\Admin\AppData\Local\Temp\764e238f5dc4e60e03148c6ce122d2f6.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\764e238f5dc4e60e03148c6ce122d2f6.exeC:\Users\Admin\AppData\Local\Temp\764e238f5dc4e60e03148c6ce122d2f6.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\764e238f5dc4e60e03148c6ce122d2f6.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:2624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
857KB
MD52f93e97a8552d67efea79d5d6303134f
SHA1c10833590b51e75bfdd4ec234f7f509b6f6d5be8
SHA2562be500c246ec1dedbd812bb8c3ea43928fb0239c0947da36152412fe5e8afa79
SHA51201a473d79708109257ec8308b460f6501d4740269a9df82d667b749287f6c1eb122828b01a82f5aabf9dbe88bda11d26783171030b19d1fc7870ec32ff68cf39
-
Filesize
743KB
MD526c0cfe0ef2d3b2137b269fa5da22bb4
SHA1c2ce03e3ee3de4f420019872b72a75ca8c8080e0
SHA2565be495a6a350cf725a61093746520d711c3cedee6015ab18c9e02893316aec2c
SHA512a1b450a9ac179a5219167340a1a59d921141e3e5419f48017bcb9008bdd317c8ff81d3a5823c8f1b4f69c31c5725cb2f52239e4b7d321b744b790eed3d4a8179
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
528KB
MD55623417283353a34bcc9b24be10740d5
SHA19e00ac82f80a9738e54d4f30801f907b01c2bda1
SHA2568c02a8ad872e683432d993ac25774f9458f6dd6eaa4eae4c33a7a16498f60751
SHA5125817ca623f392050348cebe1821824db0bd7e4d5d61660d82e2a75d98a3aa860860b6e42e52b9f5cb47b7273cee8eee738254387df3d3e002f27050bf9c42eb8