dbdbea5a20e829202ba439e49115648a54517a78c730c8a1ae946338ba4ab224

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3ba6e97ec37af735f11a5017b855c8a.exe
Size

1000KB
MD5

d3ba6e97ec37af735f11a5017b855c8a
SHA1

9bf9af8e258b0a3ddc10e4f9cb96e82c9c20cf72
SHA256

dbdbea5a20e829202ba439e49115648a54517a78c730c8a1ae946338ba4ab224
SHA512

2a2457da4ae9fb4cc58e49cc7b966d4a892d5a08be5e53c1314e672579c3f52f58922176d5ba857513f70e48531d79fd072436880b54c825a60f8cf964587762
SSDEEP

24576:/jDNOxG7llqVezAw2Cqcq1B+5vMiqt0gj2ed:bhOxG7WVecw2CyqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2344	d3ba6e97ec37af735f11a5017b855c8a.exe

Executes dropped EXE 1 IoCs

pid	Process
2344	d3ba6e97ec37af735f11a5017b855c8a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
20	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2344	d3ba6e97ec37af735f11a5017b855c8a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2344	d3ba6e97ec37af735f11a5017b855c8a.exe
2344	d3ba6e97ec37af735f11a5017b855c8a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2140	d3ba6e97ec37af735f11a5017b855c8a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2140	d3ba6e97ec37af735f11a5017b855c8a.exe
2344	d3ba6e97ec37af735f11a5017b855c8a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2344	2140	d3ba6e97ec37af735f11a5017b855c8a.exe	88
PID 2140 wrote to memory of 2344	2140	d3ba6e97ec37af735f11a5017b855c8a.exe	88
PID 2140 wrote to memory of 2344	2140	d3ba6e97ec37af735f11a5017b855c8a.exe	88
PID 2344 wrote to memory of 1556	2344	d3ba6e97ec37af735f11a5017b855c8a.exe	91
PID 2344 wrote to memory of 1556	2344	d3ba6e97ec37af735f11a5017b855c8a.exe	91
PID 2344 wrote to memory of 1556	2344	d3ba6e97ec37af735f11a5017b855c8a.exe	91

C:\Users\Admin\AppData\Local\Temp\d3ba6e97ec37af735f11a5017b855c8a.exe
"C:\Users\Admin\AppData\Local\Temp\d3ba6e97ec37af735f11a5017b855c8a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\d3ba6e97ec37af735f11a5017b855c8a.exe
  C:\Users\Admin\AppData\Local\Temp\d3ba6e97ec37af735f11a5017b855c8a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d3ba6e97ec37af735f11a5017b855c8a.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d3ba6e97ec37af735f11a5017b855c8a.exe

Filesize
1000KB

MD5
d5c85eee4a3e72325a9751156fc7c27d

SHA1
f54550ecb73c68389c44ed0407f7c25ea5645bad

SHA256
99581e5d9513a38163d5c78486a63bf93a3e664c40cb9e2d932539ec64b43e34

SHA512
db54677c3e56250c1270e62c0f7353f827fb36d9ca7388a0b2fd762bb5e529ba3d0c6c4f4d7061e684ba90957fd46c9e7e82fd69c140f277d7b9aa738ac40a32

Download Submit
memory/2140-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2140-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2140-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2140-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2344-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2344-16-0x00000000015E0000-0x0000000001663000-memory.dmp

Filesize
524KB

Download
memory/2344-20-0x0000000004F70000-0x0000000004FEE000-memory.dmp

Filesize
504KB

Download
memory/2344-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2344-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download