010d2cfc5e602b85e69209be1a93b9142ab0ab2ff9cf665f3d0c8ee474addaa6

Analysis

max time kernel
142s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b780d734763f06256d19cea98b595bc5.exe
Size

1000KB
MD5

b780d734763f06256d19cea98b595bc5
SHA1

028f52fc51f8271fee607d39345c3c2e71fc5814
SHA256

010d2cfc5e602b85e69209be1a93b9142ab0ab2ff9cf665f3d0c8ee474addaa6
SHA512

07d84d285983c93a728ff0531ea704f7131332707a659b8eae032f9e39d0147dff45bbd62d1577498f67cf68e21e0b8a6ffd2a23776952179f79e94eb89457f7
SSDEEP

24576:UZzkw4xgRn3GFf04OZxDsZH1B+5vMiqt0gj2ed:mkw5W904OZxQpqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3592	b780d734763f06256d19cea98b595bc5.exe

Executes dropped EXE 1 IoCs

pid	Process
3592	b780d734763f06256d19cea98b595bc5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
45	pastebin.com
49	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3592	b780d734763f06256d19cea98b595bc5.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3592	b780d734763f06256d19cea98b595bc5.exe
3592	b780d734763f06256d19cea98b595bc5.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2520	b780d734763f06256d19cea98b595bc5.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2520	b780d734763f06256d19cea98b595bc5.exe
3592	b780d734763f06256d19cea98b595bc5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3592	2520	b780d734763f06256d19cea98b595bc5.exe	100
PID 2520 wrote to memory of 3592	2520	b780d734763f06256d19cea98b595bc5.exe	100
PID 2520 wrote to memory of 3592	2520	b780d734763f06256d19cea98b595bc5.exe	100
PID 3592 wrote to memory of 4012	3592	b780d734763f06256d19cea98b595bc5.exe	101
PID 3592 wrote to memory of 4012	3592	b780d734763f06256d19cea98b595bc5.exe	101
PID 3592 wrote to memory of 4012	3592	b780d734763f06256d19cea98b595bc5.exe	101

C:\Users\Admin\AppData\Local\Temp\b780d734763f06256d19cea98b595bc5.exe
"C:\Users\Admin\AppData\Local\Temp\b780d734763f06256d19cea98b595bc5.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\b780d734763f06256d19cea98b595bc5.exe
  C:\Users\Admin\AppData\Local\Temp\b780d734763f06256d19cea98b595bc5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b780d734763f06256d19cea98b595bc5.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b780d734763f06256d19cea98b595bc5.exe

Filesize
1000KB

MD5
4f0880e0b01e578515ebc7118e6d1353

SHA1
8723e60cd3ddb5068c58759ae4d1353a91e7bc42

SHA256
80fe72ef91fa314f0c11ec120822308c8af927eeec5f65e2f0049caa938e498f

SHA512
fe51a7bb4297d7c655dd35a963c4ea1530d3c970e7a04d46bcae2eb8af951bb9da60a2a73aa021e4ceef52b49efe8eb3a936a16d4beb1515353924962ca76d2c

Download Submit
memory/2520-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2520-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2520-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2520-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3592-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3592-15-0x0000000001620000-0x00000000016A3000-memory.dmp

Filesize
524KB

Download
memory/3592-20-0x0000000004F70000-0x0000000004FEE000-memory.dmp

Filesize
504KB

Download
memory/3592-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3592-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download