252385d2f2b80fe7a02f557f08a022b18bce6e51810f2c5a04c55c4bf3d963ef

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2024, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d768c2f5df0d4a31e0e062be74d4e43b.exe
Size

241KB
MD5

d768c2f5df0d4a31e0e062be74d4e43b
SHA1

7c4660566893f1703223a91d3296785562bd1549
SHA256

252385d2f2b80fe7a02f557f08a022b18bce6e51810f2c5a04c55c4bf3d963ef
SHA512

319ec85399622f6a4630d5373cd933cd9572aaf1683d7cf9a1091f2059a42ab933532ec7662991cc4ecd962df799aae5a98bc89a7e1b65cc4abf4e156727fc79
SSDEEP

6144:KCHX8sfphlfZHOVf/FDmd6Ddc8fiF3B5+F8VAeRhRoh:7ssRVImd6RH6JBe6AeRhRoh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4480	d768c2f5df0d4a31e0e062be74d4e43b.exe

Executes dropped EXE 1 IoCs

pid	Process
4480	d768c2f5df0d4a31e0e062be74d4e43b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
17	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4480	d768c2f5df0d4a31e0e062be74d4e43b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4480	d768c2f5df0d4a31e0e062be74d4e43b.exe
4480	d768c2f5df0d4a31e0e062be74d4e43b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
388	d768c2f5df0d4a31e0e062be74d4e43b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
388	d768c2f5df0d4a31e0e062be74d4e43b.exe
4480	d768c2f5df0d4a31e0e062be74d4e43b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 4480	388	d768c2f5df0d4a31e0e062be74d4e43b.exe	88
PID 388 wrote to memory of 4480	388	d768c2f5df0d4a31e0e062be74d4e43b.exe	88
PID 388 wrote to memory of 4480	388	d768c2f5df0d4a31e0e062be74d4e43b.exe	88
PID 4480 wrote to memory of 2232	4480	d768c2f5df0d4a31e0e062be74d4e43b.exe	92
PID 4480 wrote to memory of 2232	4480	d768c2f5df0d4a31e0e062be74d4e43b.exe	92
PID 4480 wrote to memory of 2232	4480	d768c2f5df0d4a31e0e062be74d4e43b.exe	92

C:\Users\Admin\AppData\Local\Temp\d768c2f5df0d4a31e0e062be74d4e43b.exe
"C:\Users\Admin\AppData\Local\Temp\d768c2f5df0d4a31e0e062be74d4e43b.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\d768c2f5df0d4a31e0e062be74d4e43b.exe
  C:\Users\Admin\AppData\Local\Temp\d768c2f5df0d4a31e0e062be74d4e43b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d768c2f5df0d4a31e0e062be74d4e43b.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d768c2f5df0d4a31e0e062be74d4e43b.exe

Filesize
241KB

MD5
07eae3241a5f64d6d3a82423e6508d03

SHA1
a09c7dcebd9c5435c95e2055d159b91c4f9706bc

SHA256
5de024adf013927d7832a6a51c59c19c4091d47ee6692a0917c9d06fdf37a745

SHA512
00d1df0db53411c77cc41769afb1dd9b7739c593d264b20954159883f1bb4d38a02445e8ce3d22fe418d9b0cbe656e32290d1397d3e7f4dc16704b1f61408266

Download Submit
memory/388-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/388-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/388-1-0x00000000016A0000-0x0000000001757000-memory.dmp

Filesize
732KB

Download
memory/388-11-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4480-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4480-15-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download
memory/4480-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4480-20-0x0000000001670000-0x00000000016D6000-memory.dmp

Filesize
408KB

Download
memory/4480-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download