e2a8710255aa32d500295ea0372449906a479d62e90494da3eeac2e256001204

Analysis

max time kernel
93s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ad8c924ea41e40accee2ced2ccae0dd.exe
Size

506KB
MD5

8ad8c924ea41e40accee2ced2ccae0dd
SHA1

cbce91f4691ff8f2e8d4ebb0bd9c333a7462e302
SHA256

e2a8710255aa32d500295ea0372449906a479d62e90494da3eeac2e256001204
SHA512

be900a8050eb914c36ccaf2b8666eb92a54831fe1950602574a3133057b20d3109953cc47892cac66f60565d8d7d5719bfb85574af62b065ca667be336bbbb9f
SSDEEP

12288:xmP2B+hF/DYor02OaKoyvi7OBrS1f9Yh2TNai72:xVB+Lf0xirKAai72

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4484	8ad8c924ea41e40accee2ced2ccae0dd.exe

Executes dropped EXE 1 IoCs

pid	Process
4484	8ad8c924ea41e40accee2ced2ccae0dd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
11	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4484	8ad8c924ea41e40accee2ced2ccae0dd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4484	8ad8c924ea41e40accee2ced2ccae0dd.exe
4484	8ad8c924ea41e40accee2ced2ccae0dd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2384	8ad8c924ea41e40accee2ced2ccae0dd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2384	8ad8c924ea41e40accee2ced2ccae0dd.exe
4484	8ad8c924ea41e40accee2ced2ccae0dd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 4484	2384	8ad8c924ea41e40accee2ced2ccae0dd.exe	87
PID 2384 wrote to memory of 4484	2384	8ad8c924ea41e40accee2ced2ccae0dd.exe	87
PID 2384 wrote to memory of 4484	2384	8ad8c924ea41e40accee2ced2ccae0dd.exe	87
PID 4484 wrote to memory of 4644	4484	8ad8c924ea41e40accee2ced2ccae0dd.exe	90
PID 4484 wrote to memory of 4644	4484	8ad8c924ea41e40accee2ced2ccae0dd.exe	90
PID 4484 wrote to memory of 4644	4484	8ad8c924ea41e40accee2ced2ccae0dd.exe	90

C:\Users\Admin\AppData\Local\Temp\8ad8c924ea41e40accee2ced2ccae0dd.exe
"C:\Users\Admin\AppData\Local\Temp\8ad8c924ea41e40accee2ced2ccae0dd.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\8ad8c924ea41e40accee2ced2ccae0dd.exe
  C:\Users\Admin\AppData\Local\Temp\8ad8c924ea41e40accee2ced2ccae0dd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8ad8c924ea41e40accee2ced2ccae0dd.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8ad8c924ea41e40accee2ced2ccae0dd.exe

Filesize
506KB

MD5
771abb0543f8d5987abdfe4667b257d0

SHA1
0d1ca64e011af5c210cc4a317c7578a7e4689d7e

SHA256
cf437e47b448f8d852b0e372c4da5504b63b464179ecf919b9bd2d1e36d2ac28

SHA512
e0459ac5f968afb17acc5c7bfe110e4b96b3b6434e7d617458ef26d5087b1e012813b0ebf3f76586febc315d84c9776e8998b3b5715d98dc71f5957645d7ad54

Download Submit
memory/2384-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2384-1-0x0000000001650000-0x00000000016D3000-memory.dmp

Filesize
524KB

Download
memory/2384-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2384-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4484-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4484-16-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4484-20-0x0000000004F80000-0x0000000004FFE000-memory.dmp

Filesize
504KB

Download
memory/4484-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4484-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download