40e1b2179a2a33b3dd81164a3d11d29d3b00f76f060acae151233dfcc45db3d8

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9a03a5585c527f53c3896a494da9a7a.exe
Size

1000KB
MD5

c9a03a5585c527f53c3896a494da9a7a
SHA1

d67b21d86bb1a1a158133fa8b72d5346e59d08fd
SHA256

40e1b2179a2a33b3dd81164a3d11d29d3b00f76f060acae151233dfcc45db3d8
SHA512

2757abf60dd40623dd252ecc26c9b07412e9c6bcd131db9ef4f6e90c93a8b1f85b44fceb3d89a4ae93d04947d7e8543a107f649cc4d814d0667509eed2d54b16
SSDEEP

24576:S9pnisPF1SOnZR8aQ2Y+PGAvFA1B+5vMiqt0gj2ed:UiYn78anFKqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
220	c9a03a5585c527f53c3896a494da9a7a.exe

Executes dropped EXE 1 IoCs

pid	Process
220	c9a03a5585c527f53c3896a494da9a7a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
16	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
220	c9a03a5585c527f53c3896a494da9a7a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
220	c9a03a5585c527f53c3896a494da9a7a.exe
220	c9a03a5585c527f53c3896a494da9a7a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2560	c9a03a5585c527f53c3896a494da9a7a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2560	c9a03a5585c527f53c3896a494da9a7a.exe
220	c9a03a5585c527f53c3896a494da9a7a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 220	2560	c9a03a5585c527f53c3896a494da9a7a.exe	89
PID 2560 wrote to memory of 220	2560	c9a03a5585c527f53c3896a494da9a7a.exe	89
PID 2560 wrote to memory of 220	2560	c9a03a5585c527f53c3896a494da9a7a.exe	89
PID 220 wrote to memory of 4020	220	c9a03a5585c527f53c3896a494da9a7a.exe	93
PID 220 wrote to memory of 4020	220	c9a03a5585c527f53c3896a494da9a7a.exe	93
PID 220 wrote to memory of 4020	220	c9a03a5585c527f53c3896a494da9a7a.exe	93

C:\Users\Admin\AppData\Local\Temp\c9a03a5585c527f53c3896a494da9a7a.exe
"C:\Users\Admin\AppData\Local\Temp\c9a03a5585c527f53c3896a494da9a7a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\c9a03a5585c527f53c3896a494da9a7a.exe
  C:\Users\Admin\AppData\Local\Temp\c9a03a5585c527f53c3896a494da9a7a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c9a03a5585c527f53c3896a494da9a7a.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c9a03a5585c527f53c3896a494da9a7a.exe

Filesize
1000KB

MD5
36f631e232f6a56b3ed30b75661cdbe0

SHA1
a6a5cb177ccc1c7cc31c273901806d7036e66349

SHA256
a9c197afafa4899040f6683cca93559d4bcbe44b1f6110d88487db4b0ba8d62f

SHA512
c5fb0e88f36966436a552e59194ca3b81e0b4eefa3dd3fed28b116f9484fd8a0f6ca2cc9770976892a3b48df82f875b1e50a9f711914cd97dd1dd991cbd4e3a9

Download Submit
memory/220-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/220-15-0x0000000001650000-0x00000000016D3000-memory.dmp

Filesize
524KB

Download
memory/220-20-0x0000000004F30000-0x0000000004FAE000-memory.dmp

Filesize
504KB

Download
memory/220-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/220-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2560-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2560-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2560-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2560-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download