5d904b2fdbd40b18dee623a1fe2bd157d74d763a65be9b85b5098421615f8e74

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aafb5ca61ae19f07c0286376453816ba.exe
Size

241KB
MD5

aafb5ca61ae19f07c0286376453816ba
SHA1

1a9a55b0e4b7d6d686d015e701c54abac867defd
SHA256

5d904b2fdbd40b18dee623a1fe2bd157d74d763a65be9b85b5098421615f8e74
SHA512

85bd9ca5d875e686d0f91e42b7a987680d71a5a34faeb35c107ef7255f14eb0a8e52fb426b07dce3fdfa4fc1033e676b5080390438b40bede5f93b5cf308107d
SSDEEP

6144:cfi3noEaS26yHPPCKsxgvXthngmC1T9CYYsoTfyveA5R0d6uHTr:nnoEU6yHSojgm0ZCDdvv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
400	aafb5ca61ae19f07c0286376453816ba.exe

Executes dropped EXE 1 IoCs

pid	Process
400	aafb5ca61ae19f07c0286376453816ba.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	pastebin.com
19	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
400	aafb5ca61ae19f07c0286376453816ba.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
400	aafb5ca61ae19f07c0286376453816ba.exe
400	aafb5ca61ae19f07c0286376453816ba.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3776	aafb5ca61ae19f07c0286376453816ba.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3776	aafb5ca61ae19f07c0286376453816ba.exe
400	aafb5ca61ae19f07c0286376453816ba.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 400	3776	aafb5ca61ae19f07c0286376453816ba.exe	85
PID 3776 wrote to memory of 400	3776	aafb5ca61ae19f07c0286376453816ba.exe	85
PID 3776 wrote to memory of 400	3776	aafb5ca61ae19f07c0286376453816ba.exe	85
PID 400 wrote to memory of 3584	400	aafb5ca61ae19f07c0286376453816ba.exe	89
PID 400 wrote to memory of 3584	400	aafb5ca61ae19f07c0286376453816ba.exe	89
PID 400 wrote to memory of 3584	400	aafb5ca61ae19f07c0286376453816ba.exe	89

C:\Users\Admin\AppData\Local\Temp\aafb5ca61ae19f07c0286376453816ba.exe
"C:\Users\Admin\AppData\Local\Temp\aafb5ca61ae19f07c0286376453816ba.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Users\Admin\AppData\Local\Temp\aafb5ca61ae19f07c0286376453816ba.exe
  C:\Users\Admin\AppData\Local\Temp\aafb5ca61ae19f07c0286376453816ba.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\aafb5ca61ae19f07c0286376453816ba.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aafb5ca61ae19f07c0286376453816ba.exe

Filesize
241KB

MD5
08993b9ecbe5f3493c65b9b76160ec7c

SHA1
370c13d7c433a4ad9cecf2d3d0e01c99b2f5150f

SHA256
daec24a7cae4a464b2b34420f5eb57c496cb9470ed5d069a819e15d9396345ab

SHA512
5a2c08d49dc00b1a43f442d4cc0117688ad70342b03977eed91f743d3a19aab6631b7e04ee86659f17ed3c25878af4701c0b0fee8514a8e2778527db3549ea2d

Download Submit
memory/400-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/400-14-0x0000000001640000-0x00000000016F7000-memory.dmp

Filesize
732KB

Download
memory/400-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/400-20-0x0000000004F40000-0x0000000004FA6000-memory.dmp

Filesize
408KB

Download
memory/400-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3776-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3776-1-0x0000000001720000-0x00000000017D7000-memory.dmp

Filesize
732KB

Download
memory/3776-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3776-11-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download