108b45eb026101e658e4b4d921d909694c85cea1a9d594810cc1e7e97632e334

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 14:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3c15e5fda89169e801b703e27096700.exe
Size

1000KB
MD5

d3c15e5fda89169e801b703e27096700
SHA1

cac3b0b5b3b15377421f4405ddde1254737991c4
SHA256

108b45eb026101e658e4b4d921d909694c85cea1a9d594810cc1e7e97632e334
SHA512

b9c7070e2d96bf564264003d6ca18147f373f449a6b31a62d48100194e9bf9eb194d791efbe3b83bd2023e97f4c63f98873f89ce078bc7eb7bb7a5ef3d93ca01
SSDEEP

24576:ukJe6sIhzFs5KYERXb1B+5vMiqt0gj2ed:ukJLsMq5KLzqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4816	d3c15e5fda89169e801b703e27096700.exe

Executes dropped EXE 1 IoCs

pid	Process
4816	d3c15e5fda89169e801b703e27096700.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
17	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4816	d3c15e5fda89169e801b703e27096700.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4816	d3c15e5fda89169e801b703e27096700.exe
4816	d3c15e5fda89169e801b703e27096700.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3628	d3c15e5fda89169e801b703e27096700.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3628	d3c15e5fda89169e801b703e27096700.exe
4816	d3c15e5fda89169e801b703e27096700.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4816	3628	d3c15e5fda89169e801b703e27096700.exe	94
PID 3628 wrote to memory of 4816	3628	d3c15e5fda89169e801b703e27096700.exe	94
PID 3628 wrote to memory of 4816	3628	d3c15e5fda89169e801b703e27096700.exe	94
PID 4816 wrote to memory of 652	4816	d3c15e5fda89169e801b703e27096700.exe	97
PID 4816 wrote to memory of 652	4816	d3c15e5fda89169e801b703e27096700.exe	97
PID 4816 wrote to memory of 652	4816	d3c15e5fda89169e801b703e27096700.exe	97

C:\Users\Admin\AppData\Local\Temp\d3c15e5fda89169e801b703e27096700.exe
"C:\Users\Admin\AppData\Local\Temp\d3c15e5fda89169e801b703e27096700.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\d3c15e5fda89169e801b703e27096700.exe
  C:\Users\Admin\AppData\Local\Temp\d3c15e5fda89169e801b703e27096700.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d3c15e5fda89169e801b703e27096700.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=3112,i,1786399861560734457,5606877702857066305,262144 --variations-seed-version /prefetch:8
1⤵
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d3c15e5fda89169e801b703e27096700.exe

Filesize
1000KB

MD5
fad6096c9def9952e8e237cc4bae723c

SHA1
6f06f279dd34549971d1ff0b0c556c9f2ada3545

SHA256
142df64d198a1084316ded03fa068ca2bed081b08e40bfc7adcb62a6edb3d745

SHA512
97ea34092e397865d7553e1ea739894eedbcc8b1412f1830315fb9ea6df9222cd076add746309e9c64fc3538a73694fd205a1bd0ecb7d98906b45e0d3880b4cb

Download Submit
memory/3628-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3628-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/3628-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3628-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4816-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4816-15-0x0000000000160000-0x00000000001E3000-memory.dmp

Filesize
524KB

Download
memory/4816-20-0x0000000004F00000-0x0000000004F7E000-memory.dmp

Filesize
504KB

Download
memory/4816-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4816-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download