59a066c642007593a1965cefe67952c5574e6177c891c64bce706ae6269a4bce

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 14:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

77a883b974e7025c7737b512c1c96b5d.exe
Size

1000KB
MD5

77a883b974e7025c7737b512c1c96b5d
SHA1

8936c128d632b35f4f604ed11f9039da01d2cbb6
SHA256

59a066c642007593a1965cefe67952c5574e6177c891c64bce706ae6269a4bce
SHA512

73590622a499374c3eee355c1b6687f0fce94e9bb88fda97f64042d1feafa09beee661c6fb98f7996747968152866759c948f727464a88b571f99d1f65c68bdc
SSDEEP

12288:E/uCdmWxpjq2wHdBl/eRvIFLJ9VfObosECaBwQ2tb5JLrnylUPqt0gHDS7eyod:9kBwroRSLJ2on1B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2416	77a883b974e7025c7737b512c1c96b5d.exe

Executes dropped EXE 1 IoCs

pid	Process
2416	77a883b974e7025c7737b512c1c96b5d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
13	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2416	77a883b974e7025c7737b512c1c96b5d.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	77a883b974e7025c7737b512c1c96b5d.exe
2416	77a883b974e7025c7737b512c1c96b5d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4352	77a883b974e7025c7737b512c1c96b5d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4352	77a883b974e7025c7737b512c1c96b5d.exe
2416	77a883b974e7025c7737b512c1c96b5d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 2416	4352	77a883b974e7025c7737b512c1c96b5d.exe	85
PID 4352 wrote to memory of 2416	4352	77a883b974e7025c7737b512c1c96b5d.exe	85
PID 4352 wrote to memory of 2416	4352	77a883b974e7025c7737b512c1c96b5d.exe	85
PID 2416 wrote to memory of 3536	2416	77a883b974e7025c7737b512c1c96b5d.exe	89
PID 2416 wrote to memory of 3536	2416	77a883b974e7025c7737b512c1c96b5d.exe	89
PID 2416 wrote to memory of 3536	2416	77a883b974e7025c7737b512c1c96b5d.exe	89

C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe
"C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe
  C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe

Filesize
1000KB

MD5
9794bafe6556ee87432d6477a13c4cef

SHA1
ae412267571e366f5c2576ee72793a8839b4e86a

SHA256
455c19702d1731b60d6f64557057a41588c4423e06394c8d8e26ae32ddc848d5

SHA512
c1bd1b21308ac1a51d7b493b7d70802e86a19da4cd098c32dda4e33a42bc8852f5a008fa6ecc553cbbad9115264403aa3a11cc5549db05b26e90c9bad60a2ded

Download Submit
memory/2416-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2416-16-0x0000000001630000-0x00000000016B3000-memory.dmp

Filesize
524KB

Download
memory/2416-20-0x0000000004F80000-0x0000000004FFE000-memory.dmp

Filesize
504KB

Download
memory/2416-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2416-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4352-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4352-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4352-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4352-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download