c70394b949520a9056a0db7a6ad5dbdb167db2fa14eb7e70231627aed22b293a

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b893bf1dda3ee222f06e14a1ec89424.exe
Size

1000KB
MD5

7b893bf1dda3ee222f06e14a1ec89424
SHA1

78b4fe89dfb4ebb0521592385b2d0a48d557a9bc
SHA256

c70394b949520a9056a0db7a6ad5dbdb167db2fa14eb7e70231627aed22b293a
SHA512

7b051d78398363e06823859f3d8c311da99c941c8c83b97167a74942a0a8f14085c5d8c3919404fc7fec0e5703d3a1fdd2098c7eb7650bc76b816b92ec5c5b88
SSDEEP

12288:Lxmcxdys42nntxTD1AQ1wQVMCsvRwzECaBwQ2tb5JLrnylUPqt0gHDS7eyod:/hxTD1d1wQVMNvRV1B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2444	7b893bf1dda3ee222f06e14a1ec89424.exe

Executes dropped EXE 1 IoCs

pid	Process
2444	7b893bf1dda3ee222f06e14a1ec89424.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	pastebin.com
13	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2444	7b893bf1dda3ee222f06e14a1ec89424.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2444	7b893bf1dda3ee222f06e14a1ec89424.exe
2444	7b893bf1dda3ee222f06e14a1ec89424.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
236	7b893bf1dda3ee222f06e14a1ec89424.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
236	7b893bf1dda3ee222f06e14a1ec89424.exe
2444	7b893bf1dda3ee222f06e14a1ec89424.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 2444	236	7b893bf1dda3ee222f06e14a1ec89424.exe	58
PID 236 wrote to memory of 2444	236	7b893bf1dda3ee222f06e14a1ec89424.exe	58
PID 236 wrote to memory of 2444	236	7b893bf1dda3ee222f06e14a1ec89424.exe	58
PID 2444 wrote to memory of 3292	2444	7b893bf1dda3ee222f06e14a1ec89424.exe	77
PID 2444 wrote to memory of 3292	2444	7b893bf1dda3ee222f06e14a1ec89424.exe	77
PID 2444 wrote to memory of 3292	2444	7b893bf1dda3ee222f06e14a1ec89424.exe	77

C:\Users\Admin\AppData\Local\Temp\7b893bf1dda3ee222f06e14a1ec89424.exe
"C:\Users\Admin\AppData\Local\Temp\7b893bf1dda3ee222f06e14a1ec89424.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\AppData\Local\Temp\7b893bf1dda3ee222f06e14a1ec89424.exe
  C:\Users\Admin\AppData\Local\Temp\7b893bf1dda3ee222f06e14a1ec89424.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7b893bf1dda3ee222f06e14a1ec89424.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7b893bf1dda3ee222f06e14a1ec89424.exe

Filesize
544KB

MD5
1d7f4822352c5f7322b9fabb750eafb6

SHA1
15ecf6c2ea117dc542cf0ff2a706e82852bc8957

SHA256
36e8ccef81e20a4d8501cdb452298bd3cd609262fa22fda7d75f209d0c0d5e30

SHA512
4bd7189a4297133940d0cb0872dab8fd6ffb2ce8668919bb0caa12d62bb811c33ca40f4cca1ecfd8665e880915b3c9c251cc024a5786c5fabd22e4e8841269e0

Download Submit
memory/236-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/236-1-0x0000000001670000-0x00000000016F3000-memory.dmp

Filesize
524KB

Download
memory/236-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/236-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2444-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2444-20-0x0000000004F40000-0x0000000004FBE000-memory.dmp

Filesize
504KB

Download
memory/2444-16-0x0000000001680000-0x0000000001703000-memory.dmp

Filesize
524KB

Download
memory/2444-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2444-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download