50302c7713990867aaa7e6c10ec8d43c930172be9022e1a88bc881e6cbb0f217

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eee154bc9abe1abe6a24131083df902.exe
Size

506KB
MD5

8eee154bc9abe1abe6a24131083df902
SHA1

8ebf8cd206e9a66034795fe01cb07e2034d18637
SHA256

50302c7713990867aaa7e6c10ec8d43c930172be9022e1a88bc881e6cbb0f217
SHA512

31eb4fb02d711bb87ee13f8a202912b50e600ba5ab2e83be5f23a4c81cd6bf25cd790a857589b04cb984c57f9e5a61400fdc64976cb6c53083d98f1417ed22f0
SSDEEP

12288:Dd87btGK0WBBanptiwLTozquJoMVdhzoWTYDb1:pcGBWoeqozquJZV/oWg1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2132	8eee154bc9abe1abe6a24131083df902.exe

Executes dropped EXE 1 IoCs

pid	Process
2132	8eee154bc9abe1abe6a24131083df902.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
9	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2132	8eee154bc9abe1abe6a24131083df902.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2132	8eee154bc9abe1abe6a24131083df902.exe
2132	8eee154bc9abe1abe6a24131083df902.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3584	8eee154bc9abe1abe6a24131083df902.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3584	8eee154bc9abe1abe6a24131083df902.exe
2132	8eee154bc9abe1abe6a24131083df902.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 2132	3584	8eee154bc9abe1abe6a24131083df902.exe	84
PID 3584 wrote to memory of 2132	3584	8eee154bc9abe1abe6a24131083df902.exe	84
PID 3584 wrote to memory of 2132	3584	8eee154bc9abe1abe6a24131083df902.exe	84
PID 2132 wrote to memory of 3080	2132	8eee154bc9abe1abe6a24131083df902.exe	85
PID 2132 wrote to memory of 3080	2132	8eee154bc9abe1abe6a24131083df902.exe	85
PID 2132 wrote to memory of 3080	2132	8eee154bc9abe1abe6a24131083df902.exe	85

C:\Users\Admin\AppData\Local\Temp\8eee154bc9abe1abe6a24131083df902.exe
"C:\Users\Admin\AppData\Local\Temp\8eee154bc9abe1abe6a24131083df902.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\8eee154bc9abe1abe6a24131083df902.exe
  C:\Users\Admin\AppData\Local\Temp\8eee154bc9abe1abe6a24131083df902.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8eee154bc9abe1abe6a24131083df902.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8eee154bc9abe1abe6a24131083df902.exe

Filesize
506KB

MD5
4da7866d25774e39a4fa103edd91a02e

SHA1
537cb34de76d18d2e97edc81e66b81c3e66088f0

SHA256
141b2ca527b831db38c726a589ac56ecbe388ba72f3c9a8c87ed9e5bb0333dd4

SHA512
d2d132e22982897779b8cd0314cabe987d841fe6b8b9dde89b9313836605aa3a15fcc02c6189e3e2bb7a5c11c38c3afb9bc43b9e8629285918cd77d3aafb4657

Download Submit
memory/2132-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2132-14-0x0000000001690000-0x0000000001713000-memory.dmp

Filesize
524KB

Download
memory/2132-20-0x0000000002780000-0x00000000027FE000-memory.dmp

Filesize
504KB

Download
memory/2132-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2132-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3584-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3584-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/3584-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3584-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download