7b0e6677c380db79e30a8d2c658424e2b5d7104f05c4465b6c98f772e9d514f3

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bed1366b4384c6cb82e23b25cf687d16.exe
Size

506KB
MD5

bed1366b4384c6cb82e23b25cf687d16
SHA1

04fb4a022440efe44bcd47e413d5554e1ea9e038
SHA256

7b0e6677c380db79e30a8d2c658424e2b5d7104f05c4465b6c98f772e9d514f3
SHA512

24bd466a8dc902ca930d304a5d8c2cc0770f7d4ab848987e4fe42dae0cbbf284b8d59e60c3cc16769f164195cc55e92a8fff51188a1a57872d12f17df8a60fae
SSDEEP

12288:QvZUMqaR47sQ3V0qDLGinvFQpf9ZpvhkdA2Bd+Sy:QT2sQ3hDiiYpv2dQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4604	bed1366b4384c6cb82e23b25cf687d16.exe

Executes dropped EXE 1 IoCs

pid	Process
4604	bed1366b4384c6cb82e23b25cf687d16.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	pastebin.com
34	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4604	bed1366b4384c6cb82e23b25cf687d16.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4604	bed1366b4384c6cb82e23b25cf687d16.exe
4604	bed1366b4384c6cb82e23b25cf687d16.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3600	bed1366b4384c6cb82e23b25cf687d16.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3600	bed1366b4384c6cb82e23b25cf687d16.exe
4604	bed1366b4384c6cb82e23b25cf687d16.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 4604	3600	bed1366b4384c6cb82e23b25cf687d16.exe	97
PID 3600 wrote to memory of 4604	3600	bed1366b4384c6cb82e23b25cf687d16.exe	97
PID 3600 wrote to memory of 4604	3600	bed1366b4384c6cb82e23b25cf687d16.exe	97
PID 4604 wrote to memory of 4308	4604	bed1366b4384c6cb82e23b25cf687d16.exe	98
PID 4604 wrote to memory of 4308	4604	bed1366b4384c6cb82e23b25cf687d16.exe	98
PID 4604 wrote to memory of 4308	4604	bed1366b4384c6cb82e23b25cf687d16.exe	98

C:\Users\Admin\AppData\Local\Temp\bed1366b4384c6cb82e23b25cf687d16.exe
"C:\Users\Admin\AppData\Local\Temp\bed1366b4384c6cb82e23b25cf687d16.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\AppData\Local\Temp\bed1366b4384c6cb82e23b25cf687d16.exe
  C:\Users\Admin\AppData\Local\Temp\bed1366b4384c6cb82e23b25cf687d16.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\bed1366b4384c6cb82e23b25cf687d16.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bed1366b4384c6cb82e23b25cf687d16.exe

Filesize
506KB

MD5
f5bb17406cf650fb7e72b55156fef753

SHA1
889aa18f36b7b9436856b42f21a0ca5c416e8c8e

SHA256
d13b8556f24ec593f99b5b21595d5cc23ddce88d49a2e8b3e59974e5d78630c9

SHA512
906be1e7c0620e92a08253f0039c268425150b37f9c4a27531a73b3a4f67c8776738e8c6f7416d502ce3a4fb9419901d839da0a455120f38d1d0ff8e1b2a83ff

Download Submit
memory/3600-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3600-1-0x0000000001690000-0x0000000001713000-memory.dmp

Filesize
524KB

Download
memory/3600-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3600-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4604-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4604-14-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4604-20-0x0000000004F00000-0x0000000004F7E000-memory.dmp

Filesize
504KB

Download
memory/4604-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4604-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download