Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-03-2024 17:18
Behavioral task
behavioral1
Sample
bc5ec041f77b4e78ea39b2b5476f4a88.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bc5ec041f77b4e78ea39b2b5476f4a88.exe
Resource
win10v2004-20240226-en
General
-
Target
bc5ec041f77b4e78ea39b2b5476f4a88.exe
-
Size
483KB
-
MD5
bc5ec041f77b4e78ea39b2b5476f4a88
-
SHA1
5a47d47fe55603f26847a8f7ba4182248f215fba
-
SHA256
a30b3f060dc69295c6fb8da9bd75c29c6184c8a1658d1c7b8a90d4b23fe22617
-
SHA512
38e38543611084996f70e409fcbbf88af239d709d8e88c5c8556f26c5288ca445478ae36d8a34a63d2a6f12b07889368f5820d6696f4b81bfbb206cd95bc10c9
-
SSDEEP
12288:CcCbykb/LMgQOCE2N6Ihliq7ewBOvo4IWYyic2IL/Vi:6AjtE2Nt7e4JjWZfL/E
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2312 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Executes dropped EXE 1 IoCs
pid Process 2312 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Loads dropped DLL 1 IoCs
pid Process 3020 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 pastebin.com 7 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2312 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2312 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3020 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3020 bc5ec041f77b4e78ea39b2b5476f4a88.exe 2312 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2312 3020 bc5ec041f77b4e78ea39b2b5476f4a88.exe 28 PID 3020 wrote to memory of 2312 3020 bc5ec041f77b4e78ea39b2b5476f4a88.exe 28 PID 3020 wrote to memory of 2312 3020 bc5ec041f77b4e78ea39b2b5476f4a88.exe 28 PID 3020 wrote to memory of 2312 3020 bc5ec041f77b4e78ea39b2b5476f4a88.exe 28 PID 2312 wrote to memory of 2568 2312 bc5ec041f77b4e78ea39b2b5476f4a88.exe 29 PID 2312 wrote to memory of 2568 2312 bc5ec041f77b4e78ea39b2b5476f4a88.exe 29 PID 2312 wrote to memory of 2568 2312 bc5ec041f77b4e78ea39b2b5476f4a88.exe 29 PID 2312 wrote to memory of 2568 2312 bc5ec041f77b4e78ea39b2b5476f4a88.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc5ec041f77b4e78ea39b2b5476f4a88.exe"C:\Users\Admin\AppData\Local\Temp\bc5ec041f77b4e78ea39b2b5476f4a88.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\bc5ec041f77b4e78ea39b2b5476f4a88.exeC:\Users\Admin\AppData\Local\Temp\bc5ec041f77b4e78ea39b2b5476f4a88.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\bc5ec041f77b4e78ea39b2b5476f4a88.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:2568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
483KB
MD56945ee5efdaa25d473a320a5951dc8d4
SHA1bd57eb335b4123e9088c8e0ebe707119f4a79c73
SHA2565a1a3db5d2d97d51d2e2dcfcd33d046b1451bca910a44dbff02b08ba7af6d4b0
SHA512016571bfb59b076d532940eaba6b8f13f4a6915e98c550a570864562ddad6b00f853d52dfe99c2d1abb14e08acd07520a8afd4a021a952332a7a3acd91822e90