e8b136e2e9eb0f94846032d82c0ef68c864da926c71a13393fad32a3ec019816

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5845a033c4254bdce1141318d48350d.exe
Size

506KB
MD5

d5845a033c4254bdce1141318d48350d
SHA1

877113bf0eea35951d87e3cf9ad24be0ec6c9c26
SHA256

e8b136e2e9eb0f94846032d82c0ef68c864da926c71a13393fad32a3ec019816
SHA512

0b6fd8bd7be5c9538f0f60e84c4ca9a393cc8aca17f12659359d0f19f37fa281c70323acff98bfce521c6de144db37a92c37d1b3e398324520479a985b733353
SSDEEP

12288:EAqmUM5f5sw+4payI84/nLPzTNm/jsQ0QaaoTKh:pUY5sw+VyPMbNm/j/jiKh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	d5845a033c4254bdce1141318d48350d.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	d5845a033c4254bdce1141318d48350d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	pastebin.com
16	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2692	d5845a033c4254bdce1141318d48350d.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	d5845a033c4254bdce1141318d48350d.exe
2692	d5845a033c4254bdce1141318d48350d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1136	d5845a033c4254bdce1141318d48350d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1136	d5845a033c4254bdce1141318d48350d.exe
2692	d5845a033c4254bdce1141318d48350d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 2692	1136	d5845a033c4254bdce1141318d48350d.exe	87
PID 1136 wrote to memory of 2692	1136	d5845a033c4254bdce1141318d48350d.exe	87
PID 1136 wrote to memory of 2692	1136	d5845a033c4254bdce1141318d48350d.exe	87
PID 2692 wrote to memory of 3884	2692	d5845a033c4254bdce1141318d48350d.exe	89
PID 2692 wrote to memory of 3884	2692	d5845a033c4254bdce1141318d48350d.exe	89
PID 2692 wrote to memory of 3884	2692	d5845a033c4254bdce1141318d48350d.exe	89

C:\Users\Admin\AppData\Local\Temp\d5845a033c4254bdce1141318d48350d.exe
"C:\Users\Admin\AppData\Local\Temp\d5845a033c4254bdce1141318d48350d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\d5845a033c4254bdce1141318d48350d.exe
  C:\Users\Admin\AppData\Local\Temp\d5845a033c4254bdce1141318d48350d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d5845a033c4254bdce1141318d48350d.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d5845a033c4254bdce1141318d48350d.exe

Filesize
506KB

MD5
ebbd802f510fc0af87b157501ba17684

SHA1
f34a4737877116ee34ec48cb62271a2bf58aeb3d

SHA256
ccb449ef3ac2d13ec6de51fb2ade887a96e02538869f0e086681cda804f41e6b

SHA512
64c8e70c79477d0eaaf634b2c727aa149f1b03258419dd267ca8638e549628673a1081ac2f7e173011c186031aa470941798b8ef4b135e722635de770b3405a8

Download Submit
memory/1136-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1136-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/1136-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1136-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2692-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2692-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2692-20-0x0000000004F60000-0x0000000004FDE000-memory.dmp

Filesize
504KB

Download
memory/2692-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2692-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download