6c533b5ee78c2bb240a08d3238e410bcccaf54e01c8f9553e8919ff5354f4230

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9fc74097feace2212582bbef23699ac.exe
Size

1000KB
MD5

b9fc74097feace2212582bbef23699ac
SHA1

f33cac79aa58bd806b0c04c58214b966df0d271d
SHA256

6c533b5ee78c2bb240a08d3238e410bcccaf54e01c8f9553e8919ff5354f4230
SHA512

9c0eaee4587a9a659930ed9bb267db20f7fae2ba31db55c0b4653037196061b4ff4a946694a121a3512577737d232846f76dd9fae15ec85715a2a3192dd161c4
SSDEEP

24576:a77tAE/+rxFj1l2XmA/51B+5vMiqt0gj2ed:NEWrxFP4lqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2044	b9fc74097feace2212582bbef23699ac.exe

Executes dropped EXE 1 IoCs

pid	Process
2044	b9fc74097feace2212582bbef23699ac.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	pastebin.com
30	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2044	b9fc74097feace2212582bbef23699ac.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2044	b9fc74097feace2212582bbef23699ac.exe
2044	b9fc74097feace2212582bbef23699ac.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5032	b9fc74097feace2212582bbef23699ac.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5032	b9fc74097feace2212582bbef23699ac.exe
2044	b9fc74097feace2212582bbef23699ac.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 2044	5032	b9fc74097feace2212582bbef23699ac.exe	90
PID 5032 wrote to memory of 2044	5032	b9fc74097feace2212582bbef23699ac.exe	90
PID 5032 wrote to memory of 2044	5032	b9fc74097feace2212582bbef23699ac.exe	90
PID 2044 wrote to memory of 4000	2044	b9fc74097feace2212582bbef23699ac.exe	92
PID 2044 wrote to memory of 4000	2044	b9fc74097feace2212582bbef23699ac.exe	92
PID 2044 wrote to memory of 4000	2044	b9fc74097feace2212582bbef23699ac.exe	92

C:\Users\Admin\AppData\Local\Temp\b9fc74097feace2212582bbef23699ac.exe
"C:\Users\Admin\AppData\Local\Temp\b9fc74097feace2212582bbef23699ac.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Local\Temp\b9fc74097feace2212582bbef23699ac.exe
  C:\Users\Admin\AppData\Local\Temp\b9fc74097feace2212582bbef23699ac.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b9fc74097feace2212582bbef23699ac.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b9fc74097feace2212582bbef23699ac.exe

Filesize
1000KB

MD5
764cb216c19c5495606e99ec343af164

SHA1
3b6b9ab6662c8e78dc77cad1d64b5f8131b80964

SHA256
5ece787be79b0dd79885bc7efa80de51df2ffc5637ced33a80345d0f84e5894f

SHA512
0e95c2fb944627123cd69bf4b9c2f278231d3bf66a68b60ac852694ad783fdf41658134b7634dbe98d7b6ef368a27e558f13cdf1260940e5a77ec8cad2609869

Download Submit
memory/2044-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2044-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2044-20-0x0000000004F50000-0x0000000004FCE000-memory.dmp

Filesize
504KB

Download
memory/2044-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2044-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5032-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5032-1-0x00000000015E0000-0x0000000001663000-memory.dmp

Filesize
524KB

Download
memory/5032-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5032-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download