dd22e9d5f096f56cdfb199144d9498af6d529e6a831c21efa46b60740af5483a

Analysis

max time kernel
135s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f418d22b7d92dc92b12d25517d7067a.exe
Size

1000KB
MD5

7f418d22b7d92dc92b12d25517d7067a
SHA1

fff33cda2fe6b52a3ff0887057b4ab2517773fe5
SHA256

dd22e9d5f096f56cdfb199144d9498af6d529e6a831c21efa46b60740af5483a
SHA512

ab89bf98c5b632439cf83fa1f0982ed88e89abfde811086c60588325ec72a7ffa2aa11bcd4282d3e0b7d7b46333dca3450837174404a592ae6c6ed042fe715d8
SSDEEP

24576:a78K/A31v4LU3x0D7y1B+5vMiqt0gj2ed:a7bA3aU36IqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5076	7f418d22b7d92dc92b12d25517d7067a.exe

Executes dropped EXE 1 IoCs

pid	Process
5076	7f418d22b7d92dc92b12d25517d7067a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
14	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5076	7f418d22b7d92dc92b12d25517d7067a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5076	7f418d22b7d92dc92b12d25517d7067a.exe
5076	7f418d22b7d92dc92b12d25517d7067a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3728	7f418d22b7d92dc92b12d25517d7067a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3728	7f418d22b7d92dc92b12d25517d7067a.exe
5076	7f418d22b7d92dc92b12d25517d7067a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 5076	3728	7f418d22b7d92dc92b12d25517d7067a.exe	85
PID 3728 wrote to memory of 5076	3728	7f418d22b7d92dc92b12d25517d7067a.exe	85
PID 3728 wrote to memory of 5076	3728	7f418d22b7d92dc92b12d25517d7067a.exe	85
PID 5076 wrote to memory of 2668	5076	7f418d22b7d92dc92b12d25517d7067a.exe	87
PID 5076 wrote to memory of 2668	5076	7f418d22b7d92dc92b12d25517d7067a.exe	87
PID 5076 wrote to memory of 2668	5076	7f418d22b7d92dc92b12d25517d7067a.exe	87

C:\Users\Admin\AppData\Local\Temp\7f418d22b7d92dc92b12d25517d7067a.exe
"C:\Users\Admin\AppData\Local\Temp\7f418d22b7d92dc92b12d25517d7067a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\7f418d22b7d92dc92b12d25517d7067a.exe
  C:\Users\Admin\AppData\Local\Temp\7f418d22b7d92dc92b12d25517d7067a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7f418d22b7d92dc92b12d25517d7067a.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7f418d22b7d92dc92b12d25517d7067a.exe

Filesize
1000KB

MD5
bba39e4efd9a5f37a5f0fe09d3e392f1

SHA1
2e23ef1a17bcb4b5101007fd07199d27646ae00e

SHA256
b9fe1f41b84b5fa8af1a108abc61da822cc350abd67c11a5466b2f313c9165f4

SHA512
b3da47c39015ed5d76158576b2098af92dd78ed274846a9f06144e76e19916a00826fa9aad3e68ea6829ee6315d5debd14fe413f2462e94fc00247b32f2374fb

Download Submit
memory/3728-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3728-1-0x00000000016B0000-0x0000000001733000-memory.dmp

Filesize
524KB

Download
memory/3728-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3728-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5076-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5076-14-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/5076-20-0x0000000004EF0000-0x0000000004F6E000-memory.dmp

Filesize
504KB

Download
memory/5076-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5076-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download