caa4426a9c16776705a00c166fcbfb6edab7042e0210816debe4160b0e6f5161

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

782d987c6e225646f7cabc9d890552da.exe
Size

1000KB
MD5

782d987c6e225646f7cabc9d890552da
SHA1

6c87008814ee5817906fe1896feac151ce7ebc8e
SHA256

caa4426a9c16776705a00c166fcbfb6edab7042e0210816debe4160b0e6f5161
SHA512

e77616f74d9967481646272fbda052e7f9e2172b651bf33ab4afea5c766314cdde70478fa526b81eea52d92eacd3acaf449a09084713a7bfd8cb78b6192a552c
SSDEEP

24576:1BINLmjbpzB4FMl5jaWn8T1B+5vMiqt0gj2ed:1SQP1CqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4024	782d987c6e225646f7cabc9d890552da.exe

Executes dropped EXE 1 IoCs

pid	Process
4024	782d987c6e225646f7cabc9d890552da.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
14	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4024	782d987c6e225646f7cabc9d890552da.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4024	782d987c6e225646f7cabc9d890552da.exe
4024	782d987c6e225646f7cabc9d890552da.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
564	782d987c6e225646f7cabc9d890552da.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
564	782d987c6e225646f7cabc9d890552da.exe
4024	782d987c6e225646f7cabc9d890552da.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 4024	564	782d987c6e225646f7cabc9d890552da.exe	87
PID 564 wrote to memory of 4024	564	782d987c6e225646f7cabc9d890552da.exe	87
PID 564 wrote to memory of 4024	564	782d987c6e225646f7cabc9d890552da.exe	87
PID 4024 wrote to memory of 3180	4024	782d987c6e225646f7cabc9d890552da.exe	89
PID 4024 wrote to memory of 3180	4024	782d987c6e225646f7cabc9d890552da.exe	89
PID 4024 wrote to memory of 3180	4024	782d987c6e225646f7cabc9d890552da.exe	89

C:\Users\Admin\AppData\Local\Temp\782d987c6e225646f7cabc9d890552da.exe
"C:\Users\Admin\AppData\Local\Temp\782d987c6e225646f7cabc9d890552da.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\782d987c6e225646f7cabc9d890552da.exe
  C:\Users\Admin\AppData\Local\Temp\782d987c6e225646f7cabc9d890552da.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\782d987c6e225646f7cabc9d890552da.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\782d987c6e225646f7cabc9d890552da.exe

Filesize
1000KB

MD5
87b747d20d0089e69d628b3ea00818c9

SHA1
1a3cfc13a9122772d58912e4fdc6d3cf2d1fcd4d

SHA256
8fd9fd453f55e3c1984be1a2dad12e068cf35be8970660e7f9861c975a6b2315

SHA512
6100eb8d1676df3e7e64a9dbc4270ee334772347830cbaf79120731c50bc88c1c2bb0e2f0d01202e84d7cc7d5d1aeb3cefefa3bffe12a63928d5ba8496e8ebed

Download Submit
memory/564-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/564-1-0x0000000001650000-0x00000000016D3000-memory.dmp

Filesize
524KB

Download
memory/564-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/564-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4024-14-0x0000000001630000-0x00000000016B3000-memory.dmp

Filesize
524KB

Download
memory/4024-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4024-20-0x0000000004F00000-0x0000000004F7E000-memory.dmp

Filesize
504KB

Download
memory/4024-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4024-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download