bddbe4d41a3b18d4ffd7ddc2d6cf6bc733df3d12609404660d388400be4ba6ed

Analysis

max time kernel
108s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ce69e39addebe3d8f6d287887ddfd52.exe
Size

506KB
MD5

8ce69e39addebe3d8f6d287887ddfd52
SHA1

b4fb6a2d0e046e3a04c39e39d1476e76f30fe0c5
SHA256

bddbe4d41a3b18d4ffd7ddc2d6cf6bc733df3d12609404660d388400be4ba6ed
SHA512

2f7f074b443c4fb9d5012a8d2d438e0ed23216536a4e1fce014406a6119582f21f3bb9bb392965b9e6a27a1c4786497cf1cf979161a3c7090d82c70c754c661d
SSDEEP

12288:vWA8dBO5uhR0yNttMsgxi/VIjI+8OADKZXfp8Fl4L/1Dl:vWA8dKuYyDtZ050dcOlaDl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2888	8ce69e39addebe3d8f6d287887ddfd52.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	8ce69e39addebe3d8f6d287887ddfd52.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	pastebin.com
16	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2888	8ce69e39addebe3d8f6d287887ddfd52.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2888	8ce69e39addebe3d8f6d287887ddfd52.exe
2888	8ce69e39addebe3d8f6d287887ddfd52.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1984	8ce69e39addebe3d8f6d287887ddfd52.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1984	8ce69e39addebe3d8f6d287887ddfd52.exe
2888	8ce69e39addebe3d8f6d287887ddfd52.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2888	1984	8ce69e39addebe3d8f6d287887ddfd52.exe	83
PID 1984 wrote to memory of 2888	1984	8ce69e39addebe3d8f6d287887ddfd52.exe	83
PID 1984 wrote to memory of 2888	1984	8ce69e39addebe3d8f6d287887ddfd52.exe	83
PID 2888 wrote to memory of 1120	2888	8ce69e39addebe3d8f6d287887ddfd52.exe	84
PID 2888 wrote to memory of 1120	2888	8ce69e39addebe3d8f6d287887ddfd52.exe	84
PID 2888 wrote to memory of 1120	2888	8ce69e39addebe3d8f6d287887ddfd52.exe	84

C:\Users\Admin\AppData\Local\Temp\8ce69e39addebe3d8f6d287887ddfd52.exe
"C:\Users\Admin\AppData\Local\Temp\8ce69e39addebe3d8f6d287887ddfd52.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\8ce69e39addebe3d8f6d287887ddfd52.exe
  C:\Users\Admin\AppData\Local\Temp\8ce69e39addebe3d8f6d287887ddfd52.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8ce69e39addebe3d8f6d287887ddfd52.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8ce69e39addebe3d8f6d287887ddfd52.exe

Filesize
506KB

MD5
fb461e356acb393f845d00c011b1b6d4

SHA1
e36193d8b7960e49adf381d4a6ecd51537ffc84a

SHA256
72b97ad5caa058dd703d026d3d249d64dd647cb35e6b838702da0f0f50863993

SHA512
517107ce46b537bec46c622e46aa6c00e443f1d4087ebb3e2c604cfaa7a93647e483904ea8b4f972dabda079f9db5764605455030649d440fb2a1e0a3cef7d63

Download Submit
memory/1984-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1984-1-0x0000000001660000-0x00000000016E3000-memory.dmp

Filesize
524KB

Download
memory/1984-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1984-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2888-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2888-14-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2888-20-0x0000000001690000-0x000000000170E000-memory.dmp

Filesize
504KB

Download
memory/2888-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2888-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download