e10e5abb7f6d8b84845bcb0fb226372abf6ffece2ead745e2010e3211dfb7746

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 07:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

98e1ea2f0f1b4ce9d29a597af8e74ede.exe
Size

1000KB
MD5

98e1ea2f0f1b4ce9d29a597af8e74ede
SHA1

d1b842d15ab672d1ecae558d27a9f03adf0ae81a
SHA256

e10e5abb7f6d8b84845bcb0fb226372abf6ffece2ead745e2010e3211dfb7746
SHA512

42efe285b1478a2b24894cf574bb200a69264d9cdbc7f17d1a462280951eec39f627141558746acfb02aad82f68b2feddfe9d49b0c26d25069e0ac2cd8b9ad2f
SSDEEP

12288:ka75mnVQQgDZ5q2ze5aPWcSagAgLGZYMqCMZ8j1FIECaBwQ2tb5JLrnylUPqt0gD:3QaPKvaDa6Wo71B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4900	98e1ea2f0f1b4ce9d29a597af8e74ede.exe

Executes dropped EXE 1 IoCs

pid	Process
4900	98e1ea2f0f1b4ce9d29a597af8e74ede.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
7	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4900	98e1ea2f0f1b4ce9d29a597af8e74ede.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4900	98e1ea2f0f1b4ce9d29a597af8e74ede.exe
4900	98e1ea2f0f1b4ce9d29a597af8e74ede.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4140	98e1ea2f0f1b4ce9d29a597af8e74ede.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4140	98e1ea2f0f1b4ce9d29a597af8e74ede.exe
4900	98e1ea2f0f1b4ce9d29a597af8e74ede.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 4900	4140	98e1ea2f0f1b4ce9d29a597af8e74ede.exe	84
PID 4140 wrote to memory of 4900	4140	98e1ea2f0f1b4ce9d29a597af8e74ede.exe	84
PID 4140 wrote to memory of 4900	4140	98e1ea2f0f1b4ce9d29a597af8e74ede.exe	84
PID 4900 wrote to memory of 2320	4900	98e1ea2f0f1b4ce9d29a597af8e74ede.exe	85
PID 4900 wrote to memory of 2320	4900	98e1ea2f0f1b4ce9d29a597af8e74ede.exe	85
PID 4900 wrote to memory of 2320	4900	98e1ea2f0f1b4ce9d29a597af8e74ede.exe	85

C:\Users\Admin\AppData\Local\Temp\98e1ea2f0f1b4ce9d29a597af8e74ede.exe
"C:\Users\Admin\AppData\Local\Temp\98e1ea2f0f1b4ce9d29a597af8e74ede.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Local\Temp\98e1ea2f0f1b4ce9d29a597af8e74ede.exe
  C:\Users\Admin\AppData\Local\Temp\98e1ea2f0f1b4ce9d29a597af8e74ede.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\98e1ea2f0f1b4ce9d29a597af8e74ede.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\98e1ea2f0f1b4ce9d29a597af8e74ede.exe

Filesize
1000KB

MD5
9c1d62a5f2e21fd9715f6eaa39b82498

SHA1
35a42020cb0021fdca4bcfb626ce0d78c093c337

SHA256
e353bcf4df14543f0518236869b5b2235b9710c800a12abc98e84676ec6540cf

SHA512
a34e8d78d3100b904550e7d5372392f45a0f1f98b663d75954af1aa0b01f23f3a4bd781a038e416084567cfff2f96172eaae42642b1fbf582e75a31d54e5f807

Download Submit
memory/4140-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4140-1-0x00000000016D0000-0x0000000001753000-memory.dmp

Filesize
524KB

Download
memory/4140-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4140-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4900-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4900-14-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4900-20-0x0000000004F60000-0x0000000004FDE000-memory.dmp

Filesize
504KB

Download
memory/4900-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4900-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download