8ddebc5a15cadcbe131cf42991349711309c5691bc9cc2697ec4559e8dd5a8fe

Analysis

max time kernel
139s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbc1e1ce703884ecdb2b5f1d522096e3.exe
Size

506KB
MD5

bbc1e1ce703884ecdb2b5f1d522096e3
SHA1

13f097a824f49d994eb9f331e6da4efb4d56f14a
SHA256

8ddebc5a15cadcbe131cf42991349711309c5691bc9cc2697ec4559e8dd5a8fe
SHA512

d4c66ecca380010cf4083e87ebe096b2f25613272b3a27188858637bbac11a9becb27dd50d7a14311c5e276ef23b2f7e450e6eebc4beb97721210d0d2a900080
SSDEEP

12288:Q+dPEQ2qyzdVlxUwzQcP/u3ynnHd7F96yPsziRjbcMljD:QhD7XUwP3nH/96yPsONcMx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
864	bbc1e1ce703884ecdb2b5f1d522096e3.exe

Executes dropped EXE 1 IoCs

pid	Process
864	bbc1e1ce703884ecdb2b5f1d522096e3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	pastebin.com
22	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
864	bbc1e1ce703884ecdb2b5f1d522096e3.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
864	bbc1e1ce703884ecdb2b5f1d522096e3.exe
864	bbc1e1ce703884ecdb2b5f1d522096e3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5080	bbc1e1ce703884ecdb2b5f1d522096e3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5080	bbc1e1ce703884ecdb2b5f1d522096e3.exe
864	bbc1e1ce703884ecdb2b5f1d522096e3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 864	5080	bbc1e1ce703884ecdb2b5f1d522096e3.exe	88
PID 5080 wrote to memory of 864	5080	bbc1e1ce703884ecdb2b5f1d522096e3.exe	88
PID 5080 wrote to memory of 864	5080	bbc1e1ce703884ecdb2b5f1d522096e3.exe	88
PID 864 wrote to memory of 2316	864	bbc1e1ce703884ecdb2b5f1d522096e3.exe	92
PID 864 wrote to memory of 2316	864	bbc1e1ce703884ecdb2b5f1d522096e3.exe	92
PID 864 wrote to memory of 2316	864	bbc1e1ce703884ecdb2b5f1d522096e3.exe	92

C:\Users\Admin\AppData\Local\Temp\bbc1e1ce703884ecdb2b5f1d522096e3.exe
"C:\Users\Admin\AppData\Local\Temp\bbc1e1ce703884ecdb2b5f1d522096e3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\bbc1e1ce703884ecdb2b5f1d522096e3.exe
  C:\Users\Admin\AppData\Local\Temp\bbc1e1ce703884ecdb2b5f1d522096e3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\bbc1e1ce703884ecdb2b5f1d522096e3.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bbc1e1ce703884ecdb2b5f1d522096e3.exe

Filesize
506KB

MD5
0e08be9d3ff595fd1eca4f5a510fd852

SHA1
8bf7f9f4b78fb848b71721035b4654f0d3004671

SHA256
e3ff0b133a058c4e43fe29b483494517974ffd91a12e6082e8ab9fb8d7f55c55

SHA512
6c39ce3dc41051cc4e2e72c0f96b1117134e09abcb0ce9c647bfcfdab7cd2c761562b577de13ff812783d59275d455a600dbf57ec3cfdc0a70474cfd5d8d7618

Download Submit
memory/864-17-0x00000000015E0000-0x0000000001663000-memory.dmp

Filesize
524KB

Download
memory/864-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/864-20-0x0000000004F70000-0x0000000004FEE000-memory.dmp

Filesize
504KB

Download
memory/864-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/864-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5080-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5080-1-0x0000000001630000-0x00000000016B3000-memory.dmp

Filesize
524KB

Download
memory/5080-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5080-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download