6bf9c9ba619df6c15befba8cea695b6e7df1ce7a8b843d304eecc71248e2c858

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97e46ad2eed9f3079baaeb4d0f7f476b.exe
Size

771KB
MD5

97e46ad2eed9f3079baaeb4d0f7f476b
SHA1

014680bbbbefd977b50002233af54ab07d4846af
SHA256

6bf9c9ba619df6c15befba8cea695b6e7df1ce7a8b843d304eecc71248e2c858
SHA512

8003fb326212fc129981d6e463fd9fe6e6a45ba3e53b66d561b810d875a6347b366a010823b59b0a52f88a046d2dbd5bccb125e21c7f3ea8a6c37b0e0cd1db4b
SSDEEP

12288:GJ3/IV44aRFPdUURBsOolngTTX3hAOpSXWZL4YfZZG+ECaBwQ2tb5JLrnyl0:GdpRFFUpXlWTHhAPqL4Yyt1B+5vM0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
368	97e46ad2eed9f3079baaeb4d0f7f476b.exe

Executes dropped EXE 1 IoCs

pid	Process
368	97e46ad2eed9f3079baaeb4d0f7f476b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	pastebin.com
12	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
368	97e46ad2eed9f3079baaeb4d0f7f476b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
368	97e46ad2eed9f3079baaeb4d0f7f476b.exe
368	97e46ad2eed9f3079baaeb4d0f7f476b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4268	97e46ad2eed9f3079baaeb4d0f7f476b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4268	97e46ad2eed9f3079baaeb4d0f7f476b.exe
368	97e46ad2eed9f3079baaeb4d0f7f476b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 368	4268	97e46ad2eed9f3079baaeb4d0f7f476b.exe	83
PID 4268 wrote to memory of 368	4268	97e46ad2eed9f3079baaeb4d0f7f476b.exe	83
PID 4268 wrote to memory of 368	4268	97e46ad2eed9f3079baaeb4d0f7f476b.exe	83
PID 368 wrote to memory of 4460	368	97e46ad2eed9f3079baaeb4d0f7f476b.exe	84
PID 368 wrote to memory of 4460	368	97e46ad2eed9f3079baaeb4d0f7f476b.exe	84
PID 368 wrote to memory of 4460	368	97e46ad2eed9f3079baaeb4d0f7f476b.exe	84

C:\Users\Admin\AppData\Local\Temp\97e46ad2eed9f3079baaeb4d0f7f476b.exe
"C:\Users\Admin\AppData\Local\Temp\97e46ad2eed9f3079baaeb4d0f7f476b.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\97e46ad2eed9f3079baaeb4d0f7f476b.exe
  C:\Users\Admin\AppData\Local\Temp\97e46ad2eed9f3079baaeb4d0f7f476b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\97e46ad2eed9f3079baaeb4d0f7f476b.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\97e46ad2eed9f3079baaeb4d0f7f476b.exe

Filesize
771KB

MD5
07dd1f66445e12eb26c3d744feb5a7c4

SHA1
497af28f006f866d8679c81d4a60ecc640066ea3

SHA256
339dc50ccd0e8c03f6013c9e459cac5e8b5b85a851f1dea178f379429c361fc1

SHA512
3e1469ceb2c07c13bf6dced62eea58e4af47b8105af0801252222161e6e24b39bf5e8515d1ba8890b2e019614a356c659f67730636a9a7d39c848f30793ff336

Download Submit
memory/368-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/368-14-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/368-20-0x0000000001670000-0x00000000016EE000-memory.dmp

Filesize
504KB

Download
memory/368-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/368-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4268-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4268-1-0x00000000015E0000-0x0000000001663000-memory.dmp

Filesize
524KB

Download
memory/4268-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4268-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download