d7f56aec9688fe21ff3a7daaf03f36f191da44a1a423116d46784c8acec678d6

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

869cf93abd01f6981cf2d473582f94dd.exe
Size

506KB
MD5

869cf93abd01f6981cf2d473582f94dd
SHA1

860bfbf8012f8b76820f0c959ccf7061974243fc
SHA256

d7f56aec9688fe21ff3a7daaf03f36f191da44a1a423116d46784c8acec678d6
SHA512

204535682211eec81d34e1a93690aa6001548b9e115753be10adcefc2592b14987537f6364afb4385c3aaaad773adf3aa965d65e95bed1dfb5171a6af0a6b7ed
SSDEEP

12288:maBXFdf810VjbbqI8vo/RQB/Kbx4lYKdGsO58n8s5rF1:9BrfKs3qnvo/RE/2x4hG7Sn8Qh1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2196	869cf93abd01f6981cf2d473582f94dd.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	869cf93abd01f6981cf2d473582f94dd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
11	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2196	869cf93abd01f6981cf2d473582f94dd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2196	869cf93abd01f6981cf2d473582f94dd.exe
2196	869cf93abd01f6981cf2d473582f94dd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5044	869cf93abd01f6981cf2d473582f94dd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5044	869cf93abd01f6981cf2d473582f94dd.exe
2196	869cf93abd01f6981cf2d473582f94dd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2196	5044	869cf93abd01f6981cf2d473582f94dd.exe	49
PID 5044 wrote to memory of 2196	5044	869cf93abd01f6981cf2d473582f94dd.exe	49
PID 5044 wrote to memory of 2196	5044	869cf93abd01f6981cf2d473582f94dd.exe	49
PID 2196 wrote to memory of 4004	2196	869cf93abd01f6981cf2d473582f94dd.exe	66
PID 2196 wrote to memory of 4004	2196	869cf93abd01f6981cf2d473582f94dd.exe	66
PID 2196 wrote to memory of 4004	2196	869cf93abd01f6981cf2d473582f94dd.exe	66

C:\Users\Admin\AppData\Local\Temp\869cf93abd01f6981cf2d473582f94dd.exe
"C:\Users\Admin\AppData\Local\Temp\869cf93abd01f6981cf2d473582f94dd.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\869cf93abd01f6981cf2d473582f94dd.exe
  C:\Users\Admin\AppData\Local\Temp\869cf93abd01f6981cf2d473582f94dd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\869cf93abd01f6981cf2d473582f94dd.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\869cf93abd01f6981cf2d473582f94dd.exe

Filesize
506KB

MD5
e72055906101780ff845aab149a0fa49

SHA1
cd9bba5f8ae27b165a183a36b8b77c043bae8407

SHA256
4a979436d33c3a811cdbe967997d6c9ddd89039345697826dc80772db41d1e42

SHA512
bb3871a1f889e90a0820e80c85a80803915e3b363cbe96214337297032196c769bb567db4a0ea2122339f22ec5c5facf97ae2313f6a5d7b9d8fe5c4262f0ae83

Download Submit
memory/2196-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2196-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2196-20-0x0000000001680000-0x00000000016FE000-memory.dmp

Filesize
504KB

Download
memory/2196-17-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2196-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5044-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5044-1-0x0000000001650000-0x00000000016D3000-memory.dmp

Filesize
524KB

Download
memory/5044-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5044-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download