5dc85f83ebede67ef18cc8e64ad0b937335e6b96955845a9d579cba72efcdfe4

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 01:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba263bc690e00534c0884bd77d8271af.exe
Size

1000KB
MD5

ba263bc690e00534c0884bd77d8271af
SHA1

239d8750c8b2c393c475b0cfb2ce99de90becb25
SHA256

5dc85f83ebede67ef18cc8e64ad0b937335e6b96955845a9d579cba72efcdfe4
SHA512

e6d7517837eab9450ffbddafa4a78fd3b225c0e3ddd4131b6cc088231a38e39d3869bceb3486bdb18676161dd4eb8f333b748f8e94d1fefd11cdeb662d0d42d8
SSDEEP

24576:ijCDldvChVFcmCpHBvV/1B+5vMiqt0gj2ed:ijCDldyVFNuHBvVfqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2356	ba263bc690e00534c0884bd77d8271af.exe

Executes dropped EXE 1 IoCs

pid	Process
2356	ba263bc690e00534c0884bd77d8271af.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
40	pastebin.com
34	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2356	ba263bc690e00534c0884bd77d8271af.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2356	ba263bc690e00534c0884bd77d8271af.exe
2356	ba263bc690e00534c0884bd77d8271af.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4468	ba263bc690e00534c0884bd77d8271af.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4468	ba263bc690e00534c0884bd77d8271af.exe
2356	ba263bc690e00534c0884bd77d8271af.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2356	4468	ba263bc690e00534c0884bd77d8271af.exe	101
PID 4468 wrote to memory of 2356	4468	ba263bc690e00534c0884bd77d8271af.exe	101
PID 4468 wrote to memory of 2356	4468	ba263bc690e00534c0884bd77d8271af.exe	101
PID 2356 wrote to memory of 2348	2356	ba263bc690e00534c0884bd77d8271af.exe	103
PID 2356 wrote to memory of 2348	2356	ba263bc690e00534c0884bd77d8271af.exe	103
PID 2356 wrote to memory of 2348	2356	ba263bc690e00534c0884bd77d8271af.exe	103

C:\Users\Admin\AppData\Local\Temp\ba263bc690e00534c0884bd77d8271af.exe
"C:\Users\Admin\AppData\Local\Temp\ba263bc690e00534c0884bd77d8271af.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Local\Temp\ba263bc690e00534c0884bd77d8271af.exe
  C:\Users\Admin\AppData\Local\Temp\ba263bc690e00534c0884bd77d8271af.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ba263bc690e00534c0884bd77d8271af.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2628 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ba263bc690e00534c0884bd77d8271af.exe

Filesize
1000KB

MD5
385217fbef2a9d0b136eb5784c3fbd6c

SHA1
84b649ed495c88d02fee0d1b2e36d4c8ab6f51b2

SHA256
7f74f68322809e432be066e9687cffce718db6407ce3d183bb8ff0c1d50821af

SHA512
2e5d51362d5f98f0943533ca7cc25bb9dee16c0bd1b6b0f588482b2a1e13f96829be1ddbbf33e86cded1beff1d3bbe1ea02ee322f107d2b8271653ccf926fdb0

Download Submit
memory/2356-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2356-14-0x0000000001670000-0x00000000016F3000-memory.dmp

Filesize
524KB

Download
memory/2356-20-0x0000000004F00000-0x0000000004F7E000-memory.dmp

Filesize
504KB

Download
memory/2356-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4468-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4468-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4468-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4468-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download