191d1fd31f305fe034dd6d2db9e0c043941b61bd245695c5807836714f426e11

Analysis

max time kernel
157s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9b80f428c5cfacd69c312236625987a.exe
Size

1000KB
MD5

b9b80f428c5cfacd69c312236625987a
SHA1

db845a20bddedd2491afb28b0d57ef76a7f4d7ac
SHA256

191d1fd31f305fe034dd6d2db9e0c043941b61bd245695c5807836714f426e11
SHA512

89942306f3a879f53cd8422faa07f9a37382382a48079aad5dab1bb2297d089b978020f113e03a12ee1bec8a119ce0a9fb7dd4615584ee452b3738c708e7d6f3
SSDEEP

24576:f0J3S506S1vPSY2ukZ1B+5vMiqt0gj2ed:+k03YYdkFqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4716	b9b80f428c5cfacd69c312236625987a.exe

Executes dropped EXE 1 IoCs

pid	Process
4716	b9b80f428c5cfacd69c312236625987a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	pastebin.com
38	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4716	b9b80f428c5cfacd69c312236625987a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4716	b9b80f428c5cfacd69c312236625987a.exe
4716	b9b80f428c5cfacd69c312236625987a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4584	b9b80f428c5cfacd69c312236625987a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4584	b9b80f428c5cfacd69c312236625987a.exe
4716	b9b80f428c5cfacd69c312236625987a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 4716	4584	b9b80f428c5cfacd69c312236625987a.exe	89
PID 4584 wrote to memory of 4716	4584	b9b80f428c5cfacd69c312236625987a.exe	89
PID 4584 wrote to memory of 4716	4584	b9b80f428c5cfacd69c312236625987a.exe	89
PID 4716 wrote to memory of 4572	4716	b9b80f428c5cfacd69c312236625987a.exe	91
PID 4716 wrote to memory of 4572	4716	b9b80f428c5cfacd69c312236625987a.exe	91
PID 4716 wrote to memory of 4572	4716	b9b80f428c5cfacd69c312236625987a.exe	91

C:\Users\Admin\AppData\Local\Temp\b9b80f428c5cfacd69c312236625987a.exe
"C:\Users\Admin\AppData\Local\Temp\b9b80f428c5cfacd69c312236625987a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\b9b80f428c5cfacd69c312236625987a.exe
  C:\Users\Admin\AppData\Local\Temp\b9b80f428c5cfacd69c312236625987a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b9b80f428c5cfacd69c312236625987a.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b9b80f428c5cfacd69c312236625987a.exe

Filesize
1000KB

MD5
bf0f69f4ec9ba15761ceb8f1a443914b

SHA1
7ae4d39c46fbaa82ab4373e1dd11bd3ed69c9e42

SHA256
f31d87c2bf78fd4d9a41bc7474c2b40dca4448c2f61f4bc0801060cfec527d87

SHA512
20a77dbda56fd95fafb2c9f4e5d0129801caf6584c73311933960359e336addcf7567f61706f933ccee2dbe96a834d54c922325de47a9179ee9095a9b34e99a2

Download Submit
memory/4584-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4584-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4584-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4584-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4716-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4716-15-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download
memory/4716-20-0x0000000004FD0000-0x000000000504E000-memory.dmp

Filesize
504KB

Download
memory/4716-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4716-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download