5df3d6db668a709a3a492630fb858834d90719e95879089d235dbf9483ff0f0a

General

Target

a1143032ba8532ff8e5fb100228ab0f5.exe
Size

506KB
MD5

a1143032ba8532ff8e5fb100228ab0f5
SHA1

af144182e55e92b9a85072326e115677b5eb46ff
SHA256

5df3d6db668a709a3a492630fb858834d90719e95879089d235dbf9483ff0f0a
SHA512

d7c313f1bf4ae73afcbc5c2b52e96672c2f13269cc3452f38e1c55bc4b919586adfb6efa5d312e393160d28e59231c718f52f2e84a0ee29fe601352f096cf19b
SSDEEP

12288:wY+tOFcxNj46Eo0C6iWKv1XS2dWOIcugluiVb8v:wYqOylEo0C6ONW+oSbG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2852	a1143032ba8532ff8e5fb100228ab0f5.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	a1143032ba8532ff8e5fb100228ab0f5.exe

Loads dropped DLL 1 IoCs

pid	Process
2968	a1143032ba8532ff8e5fb100228ab0f5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
5	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2852	a1143032ba8532ff8e5fb100228ab0f5.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2852	a1143032ba8532ff8e5fb100228ab0f5.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2968	a1143032ba8532ff8e5fb100228ab0f5.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2968	a1143032ba8532ff8e5fb100228ab0f5.exe
2852	a1143032ba8532ff8e5fb100228ab0f5.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2852	2968	a1143032ba8532ff8e5fb100228ab0f5.exe	3
PID 2968 wrote to memory of 2852	2968	a1143032ba8532ff8e5fb100228ab0f5.exe	3
PID 2968 wrote to memory of 2852	2968	a1143032ba8532ff8e5fb100228ab0f5.exe	3
PID 2968 wrote to memory of 2852	2968	a1143032ba8532ff8e5fb100228ab0f5.exe	3
PID 2852 wrote to memory of 2660	2852	a1143032ba8532ff8e5fb100228ab0f5.exe	2
PID 2852 wrote to memory of 2660	2852	a1143032ba8532ff8e5fb100228ab0f5.exe	2
PID 2852 wrote to memory of 2660	2852	a1143032ba8532ff8e5fb100228ab0f5.exe	2
PID 2852 wrote to memory of 2660	2852	a1143032ba8532ff8e5fb100228ab0f5.exe	2

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a1143032ba8532ff8e5fb100228ab0f5.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2660

C:\Users\Admin\AppData\Local\Temp\a1143032ba8532ff8e5fb100228ab0f5.exe
C:\Users\Admin\AppData\Local\Temp\a1143032ba8532ff8e5fb100228ab0f5.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\a1143032ba8532ff8e5fb100228ab0f5.exe
"C:\Users\Admin\AppData\Local\Temp\a1143032ba8532ff8e5fb100228ab0f5.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab173A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar175D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1143032ba8532ff8e5fb100228ab0f5.exe

Filesize
506KB

MD5
a1a6e7d39d2fccc2fdf82575dd0eebca

SHA1
e9f8b4974224f5a5edc504ea55e75f18b596ee07

SHA256
825568522386f5b56de30f4c7c75dbff1d6fe425b0ee0f0761a6b40d613a7f4e

SHA512
65be2c82b27637526c0f15f408d68e09ff702a6a6ba875bf0c899377b3343b41926e86a922ef3485e5606b3ebaa74bdc9ff170204a49e0308a1bdc5be6e8e479

Download Submit
memory/2852-25-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/2852-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2852-20-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2852-18-0x0000000000240000-0x00000000002C3000-memory.dmp

Filesize
524KB

Download
memory/2852-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2968-15-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2968-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2968-1-0x0000000000280000-0x0000000000303000-memory.dmp

Filesize
524KB

Download
memory/2968-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2968-12-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads