fcc458dfac4b5b6c2ba85d7dd6cf311ad49e9f9795933f213b8bc2370662b29b

Analysis

max time kernel
117s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1eb6f33ec9eaff85edb79015e75f5fa.exe
Size

1000KB
MD5

d1eb6f33ec9eaff85edb79015e75f5fa
SHA1

075d6b243ed9a698fcaa68944af6141e5c9b3b10
SHA256

fcc458dfac4b5b6c2ba85d7dd6cf311ad49e9f9795933f213b8bc2370662b29b
SHA512

836122e57875278211ea64dee4aca2b9472689cfb90fdbfcbcbd27a13a85e248fb3a36c645858cad98662c7ffb157adf40670bf9de20277448addd7eb473b511
SSDEEP

24576:VfxngE6B1XuI2jlMVyX8tv1B+5vMiqt0gj2ed:VfxQ1XuhlMEsVqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4036	d1eb6f33ec9eaff85edb79015e75f5fa.exe

Executes dropped EXE 1 IoCs

pid	Process
4036	d1eb6f33ec9eaff85edb79015e75f5fa.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
10	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4036	d1eb6f33ec9eaff85edb79015e75f5fa.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4036	d1eb6f33ec9eaff85edb79015e75f5fa.exe
4036	d1eb6f33ec9eaff85edb79015e75f5fa.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5088	d1eb6f33ec9eaff85edb79015e75f5fa.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5088	d1eb6f33ec9eaff85edb79015e75f5fa.exe
4036	d1eb6f33ec9eaff85edb79015e75f5fa.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4036	5088	d1eb6f33ec9eaff85edb79015e75f5fa.exe	87
PID 5088 wrote to memory of 4036	5088	d1eb6f33ec9eaff85edb79015e75f5fa.exe	87
PID 5088 wrote to memory of 4036	5088	d1eb6f33ec9eaff85edb79015e75f5fa.exe	87
PID 4036 wrote to memory of 4344	4036	d1eb6f33ec9eaff85edb79015e75f5fa.exe	88
PID 4036 wrote to memory of 4344	4036	d1eb6f33ec9eaff85edb79015e75f5fa.exe	88
PID 4036 wrote to memory of 4344	4036	d1eb6f33ec9eaff85edb79015e75f5fa.exe	88

C:\Users\Admin\AppData\Local\Temp\d1eb6f33ec9eaff85edb79015e75f5fa.exe
"C:\Users\Admin\AppData\Local\Temp\d1eb6f33ec9eaff85edb79015e75f5fa.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\d1eb6f33ec9eaff85edb79015e75f5fa.exe
  C:\Users\Admin\AppData\Local\Temp\d1eb6f33ec9eaff85edb79015e75f5fa.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d1eb6f33ec9eaff85edb79015e75f5fa.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d1eb6f33ec9eaff85edb79015e75f5fa.exe

Filesize
1000KB

MD5
4aef53c5baf56d34e973f488d1db8ab2

SHA1
9d6baadfcfafe9fe63e5ce8815d10f04410943cd

SHA256
27c658a72fb75cee22cc648a96d964e12a47136ad77644e6e56664e7b3fb6735

SHA512
9162094a1338891e50f9a17068397dade4084000e3717b6cd9dc63d72b256e0cc4ebf57d8bda7a63b5569cf3aa992cb3d1a203e5daff559e48cf2a5dd1b3f078

Download Submit
memory/4036-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4036-16-0x0000000001650000-0x00000000016D3000-memory.dmp

Filesize
524KB

Download
memory/4036-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4036-20-0x0000000004F40000-0x0000000004FBE000-memory.dmp

Filesize
504KB

Download
memory/4036-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5088-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5088-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/5088-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5088-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download