3ee36d08d1975eb778cea851bbf7dc874e8062c2ff556d397100f860e64db917

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 11:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9712c1bfc5685be35f23eb286d75ab65.exe
Size

1000KB
MD5

9712c1bfc5685be35f23eb286d75ab65
SHA1

168d6ccec457f25863e77d5d6fa64539ae113c16
SHA256

3ee36d08d1975eb778cea851bbf7dc874e8062c2ff556d397100f860e64db917
SHA512

546f5ff4c3c27d6aa39a5972f53e1847168f8db6bb2f1f21dd7f48ad0a6ee4cae18152684dba5b61acdfd8783773840ec25fbc16b7332defcb231d6d1fc42f5e
SSDEEP

12288:SfomA0l7EJ+fRjScj/nwa8zvOUUfg2rN9qAeFQjBECaBwQ2tb5JLrnylUPqt0gHj:QwMjvwHzfUfzrtLji1B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	9712c1bfc5685be35f23eb286d75ab65.exe

Executes dropped EXE 1 IoCs

pid	Process
2556	9712c1bfc5685be35f23eb286d75ab65.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
23	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2556	9712c1bfc5685be35f23eb286d75ab65.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2556	9712c1bfc5685be35f23eb286d75ab65.exe
2556	9712c1bfc5685be35f23eb286d75ab65.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4820	9712c1bfc5685be35f23eb286d75ab65.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4820	9712c1bfc5685be35f23eb286d75ab65.exe
2556	9712c1bfc5685be35f23eb286d75ab65.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2556	4820	9712c1bfc5685be35f23eb286d75ab65.exe	83
PID 4820 wrote to memory of 2556	4820	9712c1bfc5685be35f23eb286d75ab65.exe	83
PID 4820 wrote to memory of 2556	4820	9712c1bfc5685be35f23eb286d75ab65.exe	83
PID 2556 wrote to memory of 2028	2556	9712c1bfc5685be35f23eb286d75ab65.exe	84
PID 2556 wrote to memory of 2028	2556	9712c1bfc5685be35f23eb286d75ab65.exe	84
PID 2556 wrote to memory of 2028	2556	9712c1bfc5685be35f23eb286d75ab65.exe	84

C:\Users\Admin\AppData\Local\Temp\9712c1bfc5685be35f23eb286d75ab65.exe
"C:\Users\Admin\AppData\Local\Temp\9712c1bfc5685be35f23eb286d75ab65.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\9712c1bfc5685be35f23eb286d75ab65.exe
  C:\Users\Admin\AppData\Local\Temp\9712c1bfc5685be35f23eb286d75ab65.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\9712c1bfc5685be35f23eb286d75ab65.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9712c1bfc5685be35f23eb286d75ab65.exe

Filesize
1000KB

MD5
5993c3028aaa250dcffe3a59e62b88a8

SHA1
a41392837e8b14119e14ffcf6abfb96417dba92c

SHA256
2e4045000bd8f3df36f715af91858dddbc78786c3bca6c7a89155a293f094942

SHA512
1bbfebceb699cb010b1d4b41ff4291b8f946a8885bec782e032cc23958c23c44fe0dd8850a7ead7928c2cc65ac8f97368a3dd8a0392a5ae4cb12daff58db6540

Download Submit
memory/2556-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2556-15-0x00000000015F0000-0x0000000001673000-memory.dmp

Filesize
524KB

Download
memory/2556-20-0x0000000004F20000-0x0000000004F9E000-memory.dmp

Filesize
504KB

Download
memory/2556-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2556-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4820-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4820-1-0x0000000001680000-0x0000000001703000-memory.dmp

Filesize
524KB

Download
memory/4820-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4820-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download