58f7031844129ab86af0c5831a3142087929b590aeb25856765c90c90170c137

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9d0ae44642a7d5a513ebb0cc1a9161b.exe
Size

506KB
MD5

b9d0ae44642a7d5a513ebb0cc1a9161b
SHA1

738a6383936a69621a878cfbd62403cd0f2fc372
SHA256

58f7031844129ab86af0c5831a3142087929b590aeb25856765c90c90170c137
SHA512

28f03ce288d38f54e12de813da2fe63ebd10fdf6535259d1e0e257ccf434705fe9a445cae5e191ce8b782f8b834a165bbefc78a3fb551027562d11403b3d82fc
SSDEEP

12288:AWtdc7LXPC2ialO0Y3F2H9NOZGW1JPSPcexO1jAZuNwKFUFTfr+hK8yg:Nc7L/3Zl0I9YZ980xssNJFUFzyhKg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4080	b9d0ae44642a7d5a513ebb0cc1a9161b.exe

Executes dropped EXE 1 IoCs

pid	Process
4080	b9d0ae44642a7d5a513ebb0cc1a9161b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	pastebin.com
17	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4080	b9d0ae44642a7d5a513ebb0cc1a9161b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4080	b9d0ae44642a7d5a513ebb0cc1a9161b.exe
4080	b9d0ae44642a7d5a513ebb0cc1a9161b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1000	b9d0ae44642a7d5a513ebb0cc1a9161b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1000	b9d0ae44642a7d5a513ebb0cc1a9161b.exe
4080	b9d0ae44642a7d5a513ebb0cc1a9161b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 4080	1000	b9d0ae44642a7d5a513ebb0cc1a9161b.exe	88
PID 1000 wrote to memory of 4080	1000	b9d0ae44642a7d5a513ebb0cc1a9161b.exe	88
PID 1000 wrote to memory of 4080	1000	b9d0ae44642a7d5a513ebb0cc1a9161b.exe	88
PID 4080 wrote to memory of 1100	4080	b9d0ae44642a7d5a513ebb0cc1a9161b.exe	92
PID 4080 wrote to memory of 1100	4080	b9d0ae44642a7d5a513ebb0cc1a9161b.exe	92
PID 4080 wrote to memory of 1100	4080	b9d0ae44642a7d5a513ebb0cc1a9161b.exe	92

C:\Users\Admin\AppData\Local\Temp\b9d0ae44642a7d5a513ebb0cc1a9161b.exe
"C:\Users\Admin\AppData\Local\Temp\b9d0ae44642a7d5a513ebb0cc1a9161b.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\b9d0ae44642a7d5a513ebb0cc1a9161b.exe
  C:\Users\Admin\AppData\Local\Temp\b9d0ae44642a7d5a513ebb0cc1a9161b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b9d0ae44642a7d5a513ebb0cc1a9161b.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b9d0ae44642a7d5a513ebb0cc1a9161b.exe

Filesize
506KB

MD5
84cb31f801cdc5e515294f49f55d93ed

SHA1
32c34d46f7b36b79cd1de4365ae04a7918b795b6

SHA256
9403e372aec045f4b6c1393289d5c89ef06f0fd8454b89f9cc39962fbe372f29

SHA512
65f328585e22e0498d7ab69c13fbb8bc9d6e5295d5034af35d9d911dd26dc5459ba649b880a30c8f9e538633c1f37d51d63f855c80dead507cf3b8a969ffe195

Download Submit
memory/1000-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1000-1-0x0000000001690000-0x0000000001713000-memory.dmp

Filesize
524KB

Download
memory/1000-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1000-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4080-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4080-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4080-20-0x0000000004F10000-0x0000000004F8E000-memory.dmp

Filesize
504KB

Download
memory/4080-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4080-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download