162176dd27cff995ab743814ad56dc74fce12b98f7b5d8cbfd4949544d847c00

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 16:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d4033aaf1527a4ce14e754e14bddd9a2.exe
Size

1000KB
MD5

d4033aaf1527a4ce14e754e14bddd9a2
SHA1

00a4a66cdd3d32827c2c70122f1792018d95e48e
SHA256

162176dd27cff995ab743814ad56dc74fce12b98f7b5d8cbfd4949544d847c00
SHA512

7c23b70f1105fad2deb596a4aedac0159e2cfd58279fc7d317f2687b0154fe709b28530223b4daef32cd1ae116f1c3dba64b65d8c0945d088d1aab60f8808107
SSDEEP

12288:n2xBN/wChxI5LL/fvvtuYMSXkbaAcF3k6mECaBwQ2tb5JLrnylUPqt0gHDS7eyod:2xH/wexI5LLHyQkM1B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1648	d4033aaf1527a4ce14e754e14bddd9a2.exe

Executes dropped EXE 1 IoCs

pid	Process
1648	d4033aaf1527a4ce14e754e14bddd9a2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	pastebin.com
22	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1648	d4033aaf1527a4ce14e754e14bddd9a2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	d4033aaf1527a4ce14e754e14bddd9a2.exe
1648	d4033aaf1527a4ce14e754e14bddd9a2.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2900	d4033aaf1527a4ce14e754e14bddd9a2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2900	d4033aaf1527a4ce14e754e14bddd9a2.exe
1648	d4033aaf1527a4ce14e754e14bddd9a2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 1648	2900	d4033aaf1527a4ce14e754e14bddd9a2.exe	85
PID 2900 wrote to memory of 1648	2900	d4033aaf1527a4ce14e754e14bddd9a2.exe	85
PID 2900 wrote to memory of 1648	2900	d4033aaf1527a4ce14e754e14bddd9a2.exe	85
PID 1648 wrote to memory of 668	1648	d4033aaf1527a4ce14e754e14bddd9a2.exe	86
PID 1648 wrote to memory of 668	1648	d4033aaf1527a4ce14e754e14bddd9a2.exe	86
PID 1648 wrote to memory of 668	1648	d4033aaf1527a4ce14e754e14bddd9a2.exe	86

C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe
"C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe
  C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe

Filesize
1000KB

MD5
3ea76daa753d5748f59f8d5eece0961a

SHA1
4f275433f17ea9525864f283c6c1a4728233e21c

SHA256
52a7408949a9cd80b6dab705f9e4ab82527c9631834c56dda814bbd3be17d19a

SHA512
6163e8551e13512c9f2fa8a7c7ab8ea72514c7cc1a860a10bca665506ccf94c63a39c653dd14f7dc5dba8118f4c3913c4e43a570266590764bd58af9eea0c5e4

Download Submit
memory/1648-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1648-17-0x00000000016E0000-0x0000000001763000-memory.dmp

Filesize
524KB

Download
memory/1648-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1648-22-0x0000000005000000-0x000000000507E000-memory.dmp

Filesize
504KB

Download
memory/1648-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2900-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2900-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2900-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2900-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download