Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2024 17:18
Behavioral task
behavioral1
Sample
bc5ec041f77b4e78ea39b2b5476f4a88.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bc5ec041f77b4e78ea39b2b5476f4a88.exe
Resource
win10v2004-20240226-en
General
-
Target
bc5ec041f77b4e78ea39b2b5476f4a88.exe
-
Size
483KB
-
MD5
bc5ec041f77b4e78ea39b2b5476f4a88
-
SHA1
5a47d47fe55603f26847a8f7ba4182248f215fba
-
SHA256
a30b3f060dc69295c6fb8da9bd75c29c6184c8a1658d1c7b8a90d4b23fe22617
-
SHA512
38e38543611084996f70e409fcbbf88af239d709d8e88c5c8556f26c5288ca445478ae36d8a34a63d2a6f12b07889368f5820d6696f4b81bfbb206cd95bc10c9
-
SSDEEP
12288:CcCbykb/LMgQOCE2N6Ihliq7ewBOvo4IWYyic2IL/Vi:6AjtE2Nt7e4JjWZfL/E
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1292 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Executes dropped EXE 1 IoCs
pid Process 1292 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 34 pastebin.com 37 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1292 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5096 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1292 bc5ec041f77b4e78ea39b2b5476f4a88.exe 1292 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3600 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3600 bc5ec041f77b4e78ea39b2b5476f4a88.exe 1292 bc5ec041f77b4e78ea39b2b5476f4a88.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3600 wrote to memory of 1292 3600 bc5ec041f77b4e78ea39b2b5476f4a88.exe 99 PID 3600 wrote to memory of 1292 3600 bc5ec041f77b4e78ea39b2b5476f4a88.exe 99 PID 3600 wrote to memory of 1292 3600 bc5ec041f77b4e78ea39b2b5476f4a88.exe 99 PID 1292 wrote to memory of 5096 1292 bc5ec041f77b4e78ea39b2b5476f4a88.exe 100 PID 1292 wrote to memory of 5096 1292 bc5ec041f77b4e78ea39b2b5476f4a88.exe 100 PID 1292 wrote to memory of 5096 1292 bc5ec041f77b4e78ea39b2b5476f4a88.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc5ec041f77b4e78ea39b2b5476f4a88.exe"C:\Users\Admin\AppData\Local\Temp\bc5ec041f77b4e78ea39b2b5476f4a88.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\bc5ec041f77b4e78ea39b2b5476f4a88.exeC:\Users\Admin\AppData\Local\Temp\bc5ec041f77b4e78ea39b2b5476f4a88.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\bc5ec041f77b4e78ea39b2b5476f4a88.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:5096
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵PID:4356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
483KB
MD55550bd934a24c8dc1372dc342393d59d
SHA18f0a670e43353ad18d38d3043e0729aea11050b8
SHA256dcaef06f80d51196456c77f1b0feccdfdded33add704d51f2531205723cae348
SHA5126b463f15ff0c15b1faf882b2679fabecb712399ce9133da89d1f0a7376ab80bded2ae1c518292bdfc566f0e437d8ed6b17efff4a665acab6c341be5e9fb69df8