06bb5ccf3e2afc0b39219f008d724e2cc337536be4d0f8e5e91a714648034e0b

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7104bc31f3c759427211fce36de3939.exe
Size

1000KB
MD5

d7104bc31f3c759427211fce36de3939
SHA1

fb362aea5cd8c09b077e119cf0decc6796b43f7a
SHA256

06bb5ccf3e2afc0b39219f008d724e2cc337536be4d0f8e5e91a714648034e0b
SHA512

cf0e1df053e396553f08c2087a63943bb8e8c02d025823c56d70fe0ed21ed653ac7f0fb85386bf8acf8eaceb8224366e401fd4d5a64e5afb268a9ed5932171fa
SSDEEP

24576:tJO0PnVSSYgVWWVGL9W0DH01B+5vMiqt0gj2ed:tJrELgoW0L9WamqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2220	d7104bc31f3c759427211fce36de3939.exe

Executes dropped EXE 1 IoCs

pid	Process
2220	d7104bc31f3c759427211fce36de3939.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
11	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2220	d7104bc31f3c759427211fce36de3939.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	d7104bc31f3c759427211fce36de3939.exe
2220	d7104bc31f3c759427211fce36de3939.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4388	d7104bc31f3c759427211fce36de3939.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4388	d7104bc31f3c759427211fce36de3939.exe
2220	d7104bc31f3c759427211fce36de3939.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 2220	4388	d7104bc31f3c759427211fce36de3939.exe	88
PID 4388 wrote to memory of 2220	4388	d7104bc31f3c759427211fce36de3939.exe	88
PID 4388 wrote to memory of 2220	4388	d7104bc31f3c759427211fce36de3939.exe	88
PID 2220 wrote to memory of 2452	2220	d7104bc31f3c759427211fce36de3939.exe	92
PID 2220 wrote to memory of 2452	2220	d7104bc31f3c759427211fce36de3939.exe	92
PID 2220 wrote to memory of 2452	2220	d7104bc31f3c759427211fce36de3939.exe	92

C:\Users\Admin\AppData\Local\Temp\d7104bc31f3c759427211fce36de3939.exe
"C:\Users\Admin\AppData\Local\Temp\d7104bc31f3c759427211fce36de3939.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\d7104bc31f3c759427211fce36de3939.exe
  C:\Users\Admin\AppData\Local\Temp\d7104bc31f3c759427211fce36de3939.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d7104bc31f3c759427211fce36de3939.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d7104bc31f3c759427211fce36de3939.exe

Filesize
1000KB

MD5
7f871d8ed991724ba88e419ced6c4e74

SHA1
773b3a6bf92c019a39a0235c82b69b44e1cfa797

SHA256
1a8ae45709f18c470ea543e13f375ab26d7987ffb7b53ea690e84d57687936f2

SHA512
991b8533992138e93ef170d080e5b68e76f49464b4ea9daf0c9d46e95d71ee82dc1dbc80c63f129b8a963db352e89414e863cbf8ae486e3f7d0374c71d1014f5

Download Submit
memory/2220-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2220-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2220-20-0x0000000004F10000-0x0000000004F8E000-memory.dmp

Filesize
504KB

Download
memory/2220-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2220-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4388-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4388-1-0x0000000001640000-0x00000000016C3000-memory.dmp

Filesize
524KB

Download
memory/4388-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4388-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download