aea6c788a101260300e94776ca4f4b66450ad7bbd9d5e10cda211f09f48d932c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7fb20b8b6bff4798ecc7e1a431380de.exe
Size

506KB
MD5

b7fb20b8b6bff4798ecc7e1a431380de
SHA1

d1a677044b74e3060ff98eff59dd2708dd0bdadd
SHA256

aea6c788a101260300e94776ca4f4b66450ad7bbd9d5e10cda211f09f48d932c
SHA512

1e0e251e3bb3d157ccf90fc7bc336588be474ececfa67dc8643b6e2908637019eda95f3ab703e46d7b9833b9202ea27aa5331888a531fce34d5f1158960a143c
SSDEEP

12288:4KvHCYsx0J7i2QYH42FnBC9atwJbexkNeF:50OoWBIa+Y

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4320	b7fb20b8b6bff4798ecc7e1a431380de.exe

Executes dropped EXE 1 IoCs

pid	Process
4320	b7fb20b8b6bff4798ecc7e1a431380de.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	pastebin.com
24	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4320	b7fb20b8b6bff4798ecc7e1a431380de.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4320	b7fb20b8b6bff4798ecc7e1a431380de.exe
4320	b7fb20b8b6bff4798ecc7e1a431380de.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3944	b7fb20b8b6bff4798ecc7e1a431380de.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3944	b7fb20b8b6bff4798ecc7e1a431380de.exe
4320	b7fb20b8b6bff4798ecc7e1a431380de.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 4320	3944	b7fb20b8b6bff4798ecc7e1a431380de.exe	88
PID 3944 wrote to memory of 4320	3944	b7fb20b8b6bff4798ecc7e1a431380de.exe	88
PID 3944 wrote to memory of 4320	3944	b7fb20b8b6bff4798ecc7e1a431380de.exe	88
PID 4320 wrote to memory of 4884	4320	b7fb20b8b6bff4798ecc7e1a431380de.exe	91
PID 4320 wrote to memory of 4884	4320	b7fb20b8b6bff4798ecc7e1a431380de.exe	91
PID 4320 wrote to memory of 4884	4320	b7fb20b8b6bff4798ecc7e1a431380de.exe	91

C:\Users\Admin\AppData\Local\Temp\b7fb20b8b6bff4798ecc7e1a431380de.exe
"C:\Users\Admin\AppData\Local\Temp\b7fb20b8b6bff4798ecc7e1a431380de.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\b7fb20b8b6bff4798ecc7e1a431380de.exe
  C:\Users\Admin\AppData\Local\Temp\b7fb20b8b6bff4798ecc7e1a431380de.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b7fb20b8b6bff4798ecc7e1a431380de.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b7fb20b8b6bff4798ecc7e1a431380de.exe

Filesize
506KB

MD5
8be2511defcf32064657706f6160a0de

SHA1
9c758209291a139e53c62fb90f22c885ce75101c

SHA256
8377f5f6c7eaf6ca77c8d9f8e15c3e844baa376f8d76681438f659a897a0d660

SHA512
1b9ccbb7795a889f801cf7cb11d6760d09baecbe31d2e8740948dc3224e6a0244f6e55791837891c600019d8d2bb6fa49da9da9df762c0f8b498f20517c3e3c5

Download Submit
memory/3944-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3944-1-0x0000000001640000-0x00000000016C3000-memory.dmp

Filesize
524KB

Download
memory/3944-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3944-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4320-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4320-17-0x0000000000170000-0x00000000001F3000-memory.dmp

Filesize
524KB

Download
memory/4320-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4320-20-0x0000000004F40000-0x0000000004FBE000-memory.dmp

Filesize
504KB

Download
memory/4320-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download