8cbd90103592be2b5ba14f5a14a4419625debd11abb0125e3ba1aed7f20ad4f8

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 11:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a3b63113ec5d38a899078c2eca68e740.exe
Size

1000KB
MD5

a3b63113ec5d38a899078c2eca68e740
SHA1

e6450421ae42a6d25bc7357af63f74c299ab05b5
SHA256

8cbd90103592be2b5ba14f5a14a4419625debd11abb0125e3ba1aed7f20ad4f8
SHA512

f7d08a72a3524b530545a8e9d401bf36e3e3076c342b4e1667cb2ef4084ddee14f8291a52b46c0c75aa434c08f22a371ec147f66727100569991dc01dd3a1a5d
SSDEEP

24576:O6L1qLTKqNaexWBl7jMCiHSa6xY1B+5vMiqt0gj2ed:OUsT5Ql/MYrwqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3564	a3b63113ec5d38a899078c2eca68e740.exe

Executes dropped EXE 1 IoCs

pid	Process
3564	a3b63113ec5d38a899078c2eca68e740.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
17	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3564	a3b63113ec5d38a899078c2eca68e740.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3564	a3b63113ec5d38a899078c2eca68e740.exe
3564	a3b63113ec5d38a899078c2eca68e740.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3208	a3b63113ec5d38a899078c2eca68e740.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3208	a3b63113ec5d38a899078c2eca68e740.exe
3564	a3b63113ec5d38a899078c2eca68e740.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 3564	3208	a3b63113ec5d38a899078c2eca68e740.exe	88
PID 3208 wrote to memory of 3564	3208	a3b63113ec5d38a899078c2eca68e740.exe	88
PID 3208 wrote to memory of 3564	3208	a3b63113ec5d38a899078c2eca68e740.exe	88
PID 3564 wrote to memory of 736	3564	a3b63113ec5d38a899078c2eca68e740.exe	91
PID 3564 wrote to memory of 736	3564	a3b63113ec5d38a899078c2eca68e740.exe	91
PID 3564 wrote to memory of 736	3564	a3b63113ec5d38a899078c2eca68e740.exe	91

C:\Users\Admin\AppData\Local\Temp\a3b63113ec5d38a899078c2eca68e740.exe
"C:\Users\Admin\AppData\Local\Temp\a3b63113ec5d38a899078c2eca68e740.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Users\Admin\AppData\Local\Temp\a3b63113ec5d38a899078c2eca68e740.exe
  C:\Users\Admin\AppData\Local\Temp\a3b63113ec5d38a899078c2eca68e740.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a3b63113ec5d38a899078c2eca68e740.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a3b63113ec5d38a899078c2eca68e740.exe

Filesize
1000KB

MD5
6c914470415b0ada0b9a6e2b7972e527

SHA1
2faabf7808dde26b94d3dee05101e1f6917d6afa

SHA256
83a53080bacb1ef09137b3fdab559fd8ce8e312dd6e06c6b8344e0129596e2ac

SHA512
82b36c0e800e62509390c32e2448abd6799c910adffabf54f6000917097cf034cd93d52281935007169c5dd9bf99012810e01422cfd389dc4494d8a3cbdffd15

Download Submit
memory/3208-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3208-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/3208-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3208-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3564-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3564-16-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/3564-20-0x0000000004F60000-0x0000000004FDE000-memory.dmp

Filesize
504KB

Download
memory/3564-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3564-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download