48da6b256c719f7328c57a4d2a617e4a8c5e74bdead1f0cca0439cd4ffe31238

Analysis

max time kernel
137s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76c1acfde631664b678815a7d3c08418.exe
Size

1000KB
MD5

76c1acfde631664b678815a7d3c08418
SHA1

3a346fa9d58135dccfe1bd6ddba54de63485720a
SHA256

48da6b256c719f7328c57a4d2a617e4a8c5e74bdead1f0cca0439cd4ffe31238
SHA512

bb75764bcd457f9feafeb558cce417bae080bd31d9ecd54d12c8684ac5fb66040624ecca469bfd15fbb278cd5820522bf1cb273a05e9c5f18fb5f0bed09afeb2
SSDEEP

24576:ps95C8GtBuS77WG//o8vG1B+5vMiqt0gj2ed:psB4TZ/xvkqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2344	76c1acfde631664b678815a7d3c08418.exe

Executes dropped EXE 1 IoCs

pid	Process
2344	76c1acfde631664b678815a7d3c08418.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
9	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2344	76c1acfde631664b678815a7d3c08418.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2344	76c1acfde631664b678815a7d3c08418.exe
2344	76c1acfde631664b678815a7d3c08418.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4876	76c1acfde631664b678815a7d3c08418.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4876	76c1acfde631664b678815a7d3c08418.exe
2344	76c1acfde631664b678815a7d3c08418.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 2344	4876	76c1acfde631664b678815a7d3c08418.exe	86
PID 4876 wrote to memory of 2344	4876	76c1acfde631664b678815a7d3c08418.exe	86
PID 4876 wrote to memory of 2344	4876	76c1acfde631664b678815a7d3c08418.exe	86
PID 2344 wrote to memory of 1632	2344	76c1acfde631664b678815a7d3c08418.exe	89
PID 2344 wrote to memory of 1632	2344	76c1acfde631664b678815a7d3c08418.exe	89
PID 2344 wrote to memory of 1632	2344	76c1acfde631664b678815a7d3c08418.exe	89

C:\Users\Admin\AppData\Local\Temp\76c1acfde631664b678815a7d3c08418.exe
"C:\Users\Admin\AppData\Local\Temp\76c1acfde631664b678815a7d3c08418.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\76c1acfde631664b678815a7d3c08418.exe
  C:\Users\Admin\AppData\Local\Temp\76c1acfde631664b678815a7d3c08418.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\76c1acfde631664b678815a7d3c08418.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\76c1acfde631664b678815a7d3c08418.exe

Filesize
1000KB

MD5
5a26a11f15ab7dba66d68c0faf4a0794

SHA1
bc8927b0b7426d3993231a0dd21dba740729b069

SHA256
daf4393acea3398d6cb19a0c69d2cbc9cd5df222762075ad095b92805854e0fc

SHA512
3df1c5dea9b612a880c684ffe20eec2da7c2e0841d91a8447de9cdb4dc7e3cafc0ef0f3d8d22105a06354dccbf81876ec90bb9ce8610ac91eaf37105ffbe3f96

Download Submit
memory/2344-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2344-14-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2344-20-0x0000000004FD0000-0x000000000504E000-memory.dmp

Filesize
504KB

Download
memory/2344-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2344-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4876-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4876-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4876-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4876-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download