fda8c8adb5c7cd84d3ca9c009d825dbf4a17831abbbb4db4b61ed0d96f6c6086

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 17:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d6c162597540c48787379ca94a819df5.exe
Size

1000KB
MD5

d6c162597540c48787379ca94a819df5
SHA1

a1c899ab8c3b5554217362f806bae842bbd597bb
SHA256

fda8c8adb5c7cd84d3ca9c009d825dbf4a17831abbbb4db4b61ed0d96f6c6086
SHA512

e2bc5c55f73f52bca7e3793c51689eeede9119d73d85fbcf350234ec5ea54a5827748c0dc9cfd87939074839fe022356ed6c495683db9acced6a7f039b7609fb
SSDEEP

24576:QQM13qGTiJcy5wBkOYlIHOzaCiJ01B+5vMiqt0gj2ed:Z4qGTFPBkOMIOzaCisqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
212	d6c162597540c48787379ca94a819df5.exe

Executes dropped EXE 1 IoCs

pid	Process
212	d6c162597540c48787379ca94a819df5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	pastebin.com
28	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
212	d6c162597540c48787379ca94a819df5.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
212	d6c162597540c48787379ca94a819df5.exe
212	d6c162597540c48787379ca94a819df5.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2024	d6c162597540c48787379ca94a819df5.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2024	d6c162597540c48787379ca94a819df5.exe
212	d6c162597540c48787379ca94a819df5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 212	2024	d6c162597540c48787379ca94a819df5.exe	88
PID 2024 wrote to memory of 212	2024	d6c162597540c48787379ca94a819df5.exe	88
PID 2024 wrote to memory of 212	2024	d6c162597540c48787379ca94a819df5.exe	88
PID 212 wrote to memory of 1544	212	d6c162597540c48787379ca94a819df5.exe	92
PID 212 wrote to memory of 1544	212	d6c162597540c48787379ca94a819df5.exe	92
PID 212 wrote to memory of 1544	212	d6c162597540c48787379ca94a819df5.exe	92

C:\Users\Admin\AppData\Local\Temp\d6c162597540c48787379ca94a819df5.exe
"C:\Users\Admin\AppData\Local\Temp\d6c162597540c48787379ca94a819df5.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\d6c162597540c48787379ca94a819df5.exe
  C:\Users\Admin\AppData\Local\Temp\d6c162597540c48787379ca94a819df5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d6c162597540c48787379ca94a819df5.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d6c162597540c48787379ca94a819df5.exe

Filesize
1000KB

MD5
15a55dc99575181ca54fa4525bce3b85

SHA1
55115f8a940b3ff2cc2acfdf4d8b55387ca28085

SHA256
15c75242b58a610cfcceafc770e7c38d960c013333923cc4297916a73020a67a

SHA512
170fd11de44d1180027080070e176c533efeeab7bbe63e4957e95dc343476e460ddb29487a3a4b5b7578b641a35ba84c707dccc9fddf49f044382308b9ab03a3

Download Submit
memory/212-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/212-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/212-20-0x0000000004F80000-0x0000000004FFE000-memory.dmp

Filesize
504KB

Download
memory/212-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/212-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2024-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2024-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2024-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2024-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download