fb29dafde92887abdf5240167aa73b99acbc1ab182251156d6a86288cc209e2b

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a44aa7e77efe06de2dd423a22977a21a.exe
Size

1000KB
MD5

a44aa7e77efe06de2dd423a22977a21a
SHA1

015a3638008752782e08d460bb239c2dfa4ffa32
SHA256

fb29dafde92887abdf5240167aa73b99acbc1ab182251156d6a86288cc209e2b
SHA512

93a1aad9ac81f6f92e5d88894ea4fff489e02aced6879bee83cd9785a2027bf7368ec364c05ada63a422e879fd9f429721dadec4fc890f78ff3ce8c0b1a4fcf2
SSDEEP

12288:SQT7Qh9Trg7zFOccbDqddr2cGeWLYmoMvwrimpZ3Bgh07RuC7l1ECaBwQ2tb5JLm:JIPyZcgdr2BvKpZ3I1B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3316	a44aa7e77efe06de2dd423a22977a21a.exe

Executes dropped EXE 1 IoCs

pid	Process
3316	a44aa7e77efe06de2dd423a22977a21a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	pastebin.com
18	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3316	a44aa7e77efe06de2dd423a22977a21a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3316	a44aa7e77efe06de2dd423a22977a21a.exe
3316	a44aa7e77efe06de2dd423a22977a21a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1604	a44aa7e77efe06de2dd423a22977a21a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1604	a44aa7e77efe06de2dd423a22977a21a.exe
3316	a44aa7e77efe06de2dd423a22977a21a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 3316	1604	a44aa7e77efe06de2dd423a22977a21a.exe	86
PID 1604 wrote to memory of 3316	1604	a44aa7e77efe06de2dd423a22977a21a.exe	86
PID 1604 wrote to memory of 3316	1604	a44aa7e77efe06de2dd423a22977a21a.exe	86
PID 3316 wrote to memory of 4148	3316	a44aa7e77efe06de2dd423a22977a21a.exe	87
PID 3316 wrote to memory of 4148	3316	a44aa7e77efe06de2dd423a22977a21a.exe	87
PID 3316 wrote to memory of 4148	3316	a44aa7e77efe06de2dd423a22977a21a.exe	87

C:\Users\Admin\AppData\Local\Temp\a44aa7e77efe06de2dd423a22977a21a.exe
"C:\Users\Admin\AppData\Local\Temp\a44aa7e77efe06de2dd423a22977a21a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\a44aa7e77efe06de2dd423a22977a21a.exe
  C:\Users\Admin\AppData\Local\Temp\a44aa7e77efe06de2dd423a22977a21a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a44aa7e77efe06de2dd423a22977a21a.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a44aa7e77efe06de2dd423a22977a21a.exe

Filesize
1000KB

MD5
3de8ed3ac195a3987a62effa9c62c422

SHA1
59dac5959c97b20cee0bb2ddc121d480d54a435b

SHA256
0b1a03ddaec259d697d0c3891ceedc046c0c816382bf77ffcf0c10196be16152

SHA512
197cdf6e1078e612d0ff42e257d2eb856a98fd67818680c646d28021d2487f9f11192c36138299b12e5a17cbf33a317732f6834eb08d2d6b9d72f6d7cfcb9903

Download Submit
memory/1604-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1604-1-0x0000000001620000-0x00000000016A3000-memory.dmp

Filesize
524KB

Download
memory/1604-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1604-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3316-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3316-14-0x0000000001660000-0x00000000016E3000-memory.dmp

Filesize
524KB

Download
memory/3316-20-0x0000000004F20000-0x0000000004F9E000-memory.dmp

Filesize
504KB

Download
memory/3316-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3316-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download