3906dfac1e06177813649f2fd6a2f5d2102b79db1264b284fa61e79b3829860b

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdd0edc67729b05d92d7db1604aef877.exe
Size

1000KB
MD5

cdd0edc67729b05d92d7db1604aef877
SHA1

1578ac0e606e323b09573843eb002e53f8bab7c8
SHA256

3906dfac1e06177813649f2fd6a2f5d2102b79db1264b284fa61e79b3829860b
SHA512

f5a0746eb00e1ceb47d3d5ed9159fbd36611021c71eaad319520f9042705b4af81960aecc4bb5fda077e5a01f0495a8b1db8057854753fa4ad7a3fc8390a19c3
SSDEEP

24576:0fvBOCghNbmgHv2oa4jADC5O1B+5vMiqt0gj2ed:0xOCglv2WjADVqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	cdd0edc67729b05d92d7db1604aef877.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	cdd0edc67729b05d92d7db1604aef877.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	pastebin.com
37	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2792	cdd0edc67729b05d92d7db1604aef877.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2792	cdd0edc67729b05d92d7db1604aef877.exe
2792	cdd0edc67729b05d92d7db1604aef877.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1212	cdd0edc67729b05d92d7db1604aef877.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1212	cdd0edc67729b05d92d7db1604aef877.exe
2792	cdd0edc67729b05d92d7db1604aef877.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2792	1212	cdd0edc67729b05d92d7db1604aef877.exe	97
PID 1212 wrote to memory of 2792	1212	cdd0edc67729b05d92d7db1604aef877.exe	97
PID 1212 wrote to memory of 2792	1212	cdd0edc67729b05d92d7db1604aef877.exe	97
PID 2792 wrote to memory of 4316	2792	cdd0edc67729b05d92d7db1604aef877.exe	99
PID 2792 wrote to memory of 4316	2792	cdd0edc67729b05d92d7db1604aef877.exe	99
PID 2792 wrote to memory of 4316	2792	cdd0edc67729b05d92d7db1604aef877.exe	99

C:\Users\Admin\AppData\Local\Temp\cdd0edc67729b05d92d7db1604aef877.exe
"C:\Users\Admin\AppData\Local\Temp\cdd0edc67729b05d92d7db1604aef877.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\cdd0edc67729b05d92d7db1604aef877.exe
  C:\Users\Admin\AppData\Local\Temp\cdd0edc67729b05d92d7db1604aef877.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\cdd0edc67729b05d92d7db1604aef877.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdd0edc67729b05d92d7db1604aef877.exe

Filesize
1000KB

MD5
74e52b6aff6ac9eff56c6c5993b4396d

SHA1
ddba4372024bbcaba7f855c2eb12fc6e420f64b6

SHA256
095e116d04b1c2106cffff0ed5ac06e31384764b5a96a916e0632dbaf41d76e7

SHA512
3bc2e15fd08e1f384d72d97814ba612c14e44da461d9c251d74777cdebafeabcfb55d767d0271109b156d7af49c222dc38b61143e78f10f6629c37cffe338309

Download Submit
memory/1212-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1212-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/1212-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1212-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2792-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2792-15-0x0000000001670000-0x00000000016F3000-memory.dmp

Filesize
524KB

Download
memory/2792-20-0x0000000004F10000-0x0000000004F8E000-memory.dmp

Filesize
504KB

Download
memory/2792-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2792-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download