e205685449dfcbdc2b5128a68c86f8272b46bcf6f649088269c790ac008fa803

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a468ec4d10506f7ec7adbc4eacf9d347.exe
Size

506KB
MD5

a468ec4d10506f7ec7adbc4eacf9d347
SHA1

c6d05cb4b093391565b215bcc0e3e2dc276bd243
SHA256

e205685449dfcbdc2b5128a68c86f8272b46bcf6f649088269c790ac008fa803
SHA512

bcb41a67fafb0927cfb548d3e03c2619f72b3f5ac407dac63f66f325c39fb0a48a25bdd6b93bb0d771a1a6dacce1092629d6ff9425363f4916d9ebb1c9fd9f60
SSDEEP

12288:Mtt5uXEFXORcnqnKVpQYP/9GGo3jWBMFGVqrM8z7s1uA:kXORcnJVIzHGqY83s

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4056	a468ec4d10506f7ec7adbc4eacf9d347.exe

Executes dropped EXE 1 IoCs

pid	Process
4056	a468ec4d10506f7ec7adbc4eacf9d347.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	pastebin.com
17	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4056	a468ec4d10506f7ec7adbc4eacf9d347.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4056	a468ec4d10506f7ec7adbc4eacf9d347.exe
4056	a468ec4d10506f7ec7adbc4eacf9d347.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3968	a468ec4d10506f7ec7adbc4eacf9d347.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3968	a468ec4d10506f7ec7adbc4eacf9d347.exe
4056	a468ec4d10506f7ec7adbc4eacf9d347.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4056	3968	a468ec4d10506f7ec7adbc4eacf9d347.exe	86
PID 3968 wrote to memory of 4056	3968	a468ec4d10506f7ec7adbc4eacf9d347.exe	86
PID 3968 wrote to memory of 4056	3968	a468ec4d10506f7ec7adbc4eacf9d347.exe	86
PID 4056 wrote to memory of 3468	4056	a468ec4d10506f7ec7adbc4eacf9d347.exe	87
PID 4056 wrote to memory of 3468	4056	a468ec4d10506f7ec7adbc4eacf9d347.exe	87
PID 4056 wrote to memory of 3468	4056	a468ec4d10506f7ec7adbc4eacf9d347.exe	87

C:\Users\Admin\AppData\Local\Temp\a468ec4d10506f7ec7adbc4eacf9d347.exe
"C:\Users\Admin\AppData\Local\Temp\a468ec4d10506f7ec7adbc4eacf9d347.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\a468ec4d10506f7ec7adbc4eacf9d347.exe
  C:\Users\Admin\AppData\Local\Temp\a468ec4d10506f7ec7adbc4eacf9d347.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a468ec4d10506f7ec7adbc4eacf9d347.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a468ec4d10506f7ec7adbc4eacf9d347.exe

Filesize
506KB

MD5
d748c8e8e1fafee2c9f57773abd022d4

SHA1
aa3bf932a9d8e003893450fcee1449c4fabbc014

SHA256
50187e2a5ad23a6d9e16b07342101bcbcd2e90506b5a919baa25e220056cb8a5

SHA512
25dd060c63b3ba17b07b956268ff708f497dd5c7c82380a9f9d5c8c5209ca77b964e46ac70f1967d50ad050a4f5b184c0b9979298aa7d1475601725435c4777d

Download Submit
memory/3968-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3968-1-0x0000000000160000-0x00000000001E3000-memory.dmp

Filesize
524KB

Download
memory/3968-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3968-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4056-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4056-14-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/4056-20-0x0000000004F50000-0x0000000004FCE000-memory.dmp

Filesize
504KB

Download
memory/4056-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4056-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download