a9302c106c46b2077113573a907dc6aa7f4145c1caaed0580b83d26f2ed724ee

Analysis

max time kernel
86s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9708418126006d41887254cd45d80b7e.exe
Size

771KB
MD5

9708418126006d41887254cd45d80b7e
SHA1

d83bf2b0e94370ea1f06b5400bba72cbcb53c852
SHA256

a9302c106c46b2077113573a907dc6aa7f4145c1caaed0580b83d26f2ed724ee
SHA512

a3444fc9367abc46399a87464411853f1d92d4b5c2626ef829c2e73c0509487955fa66967277a8ab66b562e89140333edd7d72083f4132ffbdcc862bc317e8c4
SSDEEP

12288:FEWYX5VbRLKO21GJgnrfBWNFZYLom73hY6r4LC393wyC6Y9oR+aMECaBwQ2tb5Jv:qXj21GkNWBOowr4LiNijq1B+5vM0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2816	9708418126006d41887254cd45d80b7e.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	9708418126006d41887254cd45d80b7e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	pastebin.com
16	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2816	9708418126006d41887254cd45d80b7e.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2816	9708418126006d41887254cd45d80b7e.exe
2816	9708418126006d41887254cd45d80b7e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4728	9708418126006d41887254cd45d80b7e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4728	9708418126006d41887254cd45d80b7e.exe
2816	9708418126006d41887254cd45d80b7e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 2816	4728	9708418126006d41887254cd45d80b7e.exe	86
PID 4728 wrote to memory of 2816	4728	9708418126006d41887254cd45d80b7e.exe	86
PID 4728 wrote to memory of 2816	4728	9708418126006d41887254cd45d80b7e.exe	86
PID 2816 wrote to memory of 1972	2816	9708418126006d41887254cd45d80b7e.exe	87
PID 2816 wrote to memory of 1972	2816	9708418126006d41887254cd45d80b7e.exe	87
PID 2816 wrote to memory of 1972	2816	9708418126006d41887254cd45d80b7e.exe	87

C:\Users\Admin\AppData\Local\Temp\9708418126006d41887254cd45d80b7e.exe
"C:\Users\Admin\AppData\Local\Temp\9708418126006d41887254cd45d80b7e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\AppData\Local\Temp\9708418126006d41887254cd45d80b7e.exe
  C:\Users\Admin\AppData\Local\Temp\9708418126006d41887254cd45d80b7e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\9708418126006d41887254cd45d80b7e.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9708418126006d41887254cd45d80b7e.exe

Filesize
771KB

MD5
9219f5cec101a8e37bdab6e15d7d5dcb

SHA1
3544739e011fcc4f5e0f2804a0833d7bf0966135

SHA256
4a60514cf182310f5622cde4ccdbbbfbf4d88289444cb7145f916c5e7d7e21e9

SHA512
785d29dbae8f9374523105764789e8a0e06241c7f83037ec43e4c70565132f03226849763dd90fd00856e001e68ebe8a4bf3dc825b966e026286d768dcdb5b74

Download Submit
memory/2816-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2816-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2816-20-0x0000000001680000-0x00000000016FE000-memory.dmp

Filesize
504KB

Download
memory/2816-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2816-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4728-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4728-1-0x0000000001640000-0x00000000016C3000-memory.dmp

Filesize
524KB

Download
memory/4728-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4728-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download