81447a4e1adce83b8cf1f27720ef2a6595fd0a6582da32db8d9b05d8b9d03a08

Analysis

max time kernel
90s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d0d1096aafcea6950db010ef6257545.exe
Size

1000KB
MD5

8d0d1096aafcea6950db010ef6257545
SHA1

34509c378915af357c88c3a92c13ba1e8863e627
SHA256

81447a4e1adce83b8cf1f27720ef2a6595fd0a6582da32db8d9b05d8b9d03a08
SHA512

9a83c595aea09f94793794994748a1a8b21b774bcc974080a6db3d2fc9d71ddc6125c6aeea2b9a919add97a51f36ba20dfbda4443e51c5b3c6cfc5b1059ca083
SSDEEP

24576:/l+7FQqYqTbpacTIo7oTTT4h1B+5vMiqt0gj2ed:/l+7mNqTbppt7oTTTQqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
716	8d0d1096aafcea6950db010ef6257545.exe

Executes dropped EXE 1 IoCs

pid	Process
716	8d0d1096aafcea6950db010ef6257545.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	pastebin.com
16	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
716	8d0d1096aafcea6950db010ef6257545.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
716	8d0d1096aafcea6950db010ef6257545.exe
716	8d0d1096aafcea6950db010ef6257545.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
932	8d0d1096aafcea6950db010ef6257545.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
932	8d0d1096aafcea6950db010ef6257545.exe
716	8d0d1096aafcea6950db010ef6257545.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 716	932	8d0d1096aafcea6950db010ef6257545.exe	85
PID 932 wrote to memory of 716	932	8d0d1096aafcea6950db010ef6257545.exe	85
PID 932 wrote to memory of 716	932	8d0d1096aafcea6950db010ef6257545.exe	85
PID 716 wrote to memory of 3568	716	8d0d1096aafcea6950db010ef6257545.exe	90
PID 716 wrote to memory of 3568	716	8d0d1096aafcea6950db010ef6257545.exe	90
PID 716 wrote to memory of 3568	716	8d0d1096aafcea6950db010ef6257545.exe	90

C:\Users\Admin\AppData\Local\Temp\8d0d1096aafcea6950db010ef6257545.exe
"C:\Users\Admin\AppData\Local\Temp\8d0d1096aafcea6950db010ef6257545.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Local\Temp\8d0d1096aafcea6950db010ef6257545.exe
  C:\Users\Admin\AppData\Local\Temp\8d0d1096aafcea6950db010ef6257545.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8d0d1096aafcea6950db010ef6257545.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8d0d1096aafcea6950db010ef6257545.exe

Filesize
109KB

MD5
18024bf7263b9589449574699b3654b9

SHA1
db4e23fab1b486af0e107e8bb36d7399d2bef061

SHA256
66036885eb98f1347d2dcfb2ad15e2a3fcb1f0825a4b549c532eb5b46fe19e58

SHA512
08a1497fc76f7e6d60c69f45373f82137b11751a814b41a1b39aad1e2c104c7eb3f73c278c39900e563f734135c707ed6ce52866dfa42fd247984cb2ccfd7a07

Download Submit
memory/716-15-0x0000000001610000-0x0000000001693000-memory.dmp

Filesize
524KB

Download
memory/716-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/716-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/716-20-0x0000000004F20000-0x0000000004F9E000-memory.dmp

Filesize
504KB

Download
memory/716-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/932-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/932-1-0x0000000001620000-0x00000000016A3000-memory.dmp

Filesize
524KB

Download
memory/932-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/932-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download