Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 22:59
Static task
static1
Behavioral task
behavioral1
Sample
c4533ab5eac4e3245c4fe1c513a4a79b.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c4533ab5eac4e3245c4fe1c513a4a79b.exe
Resource
win10v2004-20240226-en
General
-
Target
c4533ab5eac4e3245c4fe1c513a4a79b.exe
-
Size
1000KB
-
MD5
c4533ab5eac4e3245c4fe1c513a4a79b
-
SHA1
a5c2492561e05706a0dde72dbff5132e8b8e182f
-
SHA256
95cf7d06af02e6bbade516230dbecc21ef762d2881756d42e396c9f5aed4c4ed
-
SHA512
499675e1e67f6492db24b9c0116e77646d9be9b093980602a40c958faeb30a56033b27a3bebefd6c97c796a5105fb6fa0bfd429e134bde1f0f60b2a1f9ef6cb8
-
SSDEEP
12288:OxcDxsHNiBnHTvB0EOvrehS1VECaBwQ2tb5JLrnylUPqt0gHDS7eyod:xmHynHjB0EmrehS81B+5vMiqt0gj2ed
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4740 c4533ab5eac4e3245c4fe1c513a4a79b.exe -
Executes dropped EXE 1 IoCs
pid Process 4740 c4533ab5eac4e3245c4fe1c513a4a79b.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 pastebin.com 20 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4740 c4533ab5eac4e3245c4fe1c513a4a79b.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3244 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4740 c4533ab5eac4e3245c4fe1c513a4a79b.exe 4740 c4533ab5eac4e3245c4fe1c513a4a79b.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2428 c4533ab5eac4e3245c4fe1c513a4a79b.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2428 c4533ab5eac4e3245c4fe1c513a4a79b.exe 4740 c4533ab5eac4e3245c4fe1c513a4a79b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2428 wrote to memory of 4740 2428 c4533ab5eac4e3245c4fe1c513a4a79b.exe 88 PID 2428 wrote to memory of 4740 2428 c4533ab5eac4e3245c4fe1c513a4a79b.exe 88 PID 2428 wrote to memory of 4740 2428 c4533ab5eac4e3245c4fe1c513a4a79b.exe 88 PID 4740 wrote to memory of 3244 4740 c4533ab5eac4e3245c4fe1c513a4a79b.exe 91 PID 4740 wrote to memory of 3244 4740 c4533ab5eac4e3245c4fe1c513a4a79b.exe 91 PID 4740 wrote to memory of 3244 4740 c4533ab5eac4e3245c4fe1c513a4a79b.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4533ab5eac4e3245c4fe1c513a4a79b.exe"C:\Users\Admin\AppData\Local\Temp\c4533ab5eac4e3245c4fe1c513a4a79b.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\c4533ab5eac4e3245c4fe1c513a4a79b.exeC:\Users\Admin\AppData\Local\Temp\c4533ab5eac4e3245c4fe1c513a4a79b.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c4533ab5eac4e3245c4fe1c513a4a79b.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:3244
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD518eefbb674333c04af523c528ac8ae5d
SHA143a046a79a500f0b9879e8c8a9b240928b6aa0ac
SHA256088e008a31ce57bc22f6b222247421e96bc125e1d6c6e2f256b61f01eeb21cb3
SHA51219af847805b57fc5cdca8486436147a31ff936d1d85cb4fc861973b2e2bccd517343e8244ed53d829acd03fb003b48a2ed4ddc3a0c9816bb9dde89e6e1e9d918