9e3ff14e6051a32162f1948b96c680383d527b51ab95bee25f1f05eeace9e3b8

Analysis

max time kernel
90s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c1104648980db470ccd344e8d52d474.exe
Size

1000KB
MD5

8c1104648980db470ccd344e8d52d474
SHA1

42d94fad13e5f31a525354c03672fb52e2fcf01c
SHA256

9e3ff14e6051a32162f1948b96c680383d527b51ab95bee25f1f05eeace9e3b8
SHA512

17f4daa04ad487fee3bed58851a7256c05c23748f2c5e2c3d07a943e21496b1d5585f9972f1fdb223f3233820069c427e6817ac1ad1dc316e268fbe2541793ad
SSDEEP

24576:wYJOylEo0C6ONW+oSbN1B+5vMiqt0gj2ed:wCbEo0iNW+oSlqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4724	8c1104648980db470ccd344e8d52d474.exe

Executes dropped EXE 1 IoCs

pid	Process
4724	8c1104648980db470ccd344e8d52d474.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
13	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4724	8c1104648980db470ccd344e8d52d474.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4724	8c1104648980db470ccd344e8d52d474.exe
4724	8c1104648980db470ccd344e8d52d474.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3760	8c1104648980db470ccd344e8d52d474.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3760	8c1104648980db470ccd344e8d52d474.exe
4724	8c1104648980db470ccd344e8d52d474.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 4724	3760	8c1104648980db470ccd344e8d52d474.exe	84
PID 3760 wrote to memory of 4724	3760	8c1104648980db470ccd344e8d52d474.exe	84
PID 3760 wrote to memory of 4724	3760	8c1104648980db470ccd344e8d52d474.exe	84
PID 4724 wrote to memory of 3612	4724	8c1104648980db470ccd344e8d52d474.exe	85
PID 4724 wrote to memory of 3612	4724	8c1104648980db470ccd344e8d52d474.exe	85
PID 4724 wrote to memory of 3612	4724	8c1104648980db470ccd344e8d52d474.exe	85

C:\Users\Admin\AppData\Local\Temp\8c1104648980db470ccd344e8d52d474.exe
"C:\Users\Admin\AppData\Local\Temp\8c1104648980db470ccd344e8d52d474.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Users\Admin\AppData\Local\Temp\8c1104648980db470ccd344e8d52d474.exe
  C:\Users\Admin\AppData\Local\Temp\8c1104648980db470ccd344e8d52d474.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8c1104648980db470ccd344e8d52d474.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8c1104648980db470ccd344e8d52d474.exe

Filesize
164KB

MD5
e57debc96ce8c950e28fe1c5438db753

SHA1
281172bb4fdc4754a16c2a99a8c89f7d18d59eef

SHA256
fa801ee80b905f885194e804c43eb53c6c24e2d18745b05a564b62c4869455fb

SHA512
07b432810dd17eecfbd1d7d6d9a97ca5e60ba876de9de8010f7f7612dfa4259b29ceaab941c0aea1627b8996a80a093890fbf658a581da6bfbd81c57e42090a9

Download Submit
memory/3760-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3760-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/3760-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3760-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4724-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4724-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4724-20-0x0000000004FE0000-0x000000000505E000-memory.dmp

Filesize
504KB

Download
memory/4724-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4724-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download