eff9c7b20f885825eda37388d1c21d7209cd0a4b83d62d956fc9a5429b470e6e

Analysis

max time kernel
90s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e043c98e2882e8f3083e79f20389f11c.exe
Size

1000KB
MD5

e043c98e2882e8f3083e79f20389f11c
SHA1

ecfa4299d184466846cd931f5af3e7546fd6a71b
SHA256

eff9c7b20f885825eda37388d1c21d7209cd0a4b83d62d956fc9a5429b470e6e
SHA512

f5bd100dd4fa08e8c8dd29e7ee29a7f9d8f64c78d92d6241444c440c506377db2afef431be030679c67ddeb8e76a743ff8bb92857dccb80a49589274531e2be5
SSDEEP

24576:HFzxPqt1PISah1YWRsA7phIt6RYScYTpiQX1B+5vMiqt0gj2ed:HfvjrRvIt627QnqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3260	e043c98e2882e8f3083e79f20389f11c.exe

Executes dropped EXE 1 IoCs

pid	Process
3260	e043c98e2882e8f3083e79f20389f11c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	pastebin.com
33	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3260	e043c98e2882e8f3083e79f20389f11c.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3260	e043c98e2882e8f3083e79f20389f11c.exe
3260	e043c98e2882e8f3083e79f20389f11c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1400	e043c98e2882e8f3083e79f20389f11c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1400	e043c98e2882e8f3083e79f20389f11c.exe
3260	e043c98e2882e8f3083e79f20389f11c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 3260	1400	e043c98e2882e8f3083e79f20389f11c.exe	88
PID 1400 wrote to memory of 3260	1400	e043c98e2882e8f3083e79f20389f11c.exe	88
PID 1400 wrote to memory of 3260	1400	e043c98e2882e8f3083e79f20389f11c.exe	88
PID 3260 wrote to memory of 2356	3260	e043c98e2882e8f3083e79f20389f11c.exe	91
PID 3260 wrote to memory of 2356	3260	e043c98e2882e8f3083e79f20389f11c.exe	91
PID 3260 wrote to memory of 2356	3260	e043c98e2882e8f3083e79f20389f11c.exe	91

C:\Users\Admin\AppData\Local\Temp\e043c98e2882e8f3083e79f20389f11c.exe
"C:\Users\Admin\AppData\Local\Temp\e043c98e2882e8f3083e79f20389f11c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\e043c98e2882e8f3083e79f20389f11c.exe
  C:\Users\Admin\AppData\Local\Temp\e043c98e2882e8f3083e79f20389f11c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\e043c98e2882e8f3083e79f20389f11c.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e043c98e2882e8f3083e79f20389f11c.exe

Filesize
192KB

MD5
588110ca0bdaea942d25ba68f360066a

SHA1
71411657d2d51c2bb3825523c2fc2639f31439ff

SHA256
89cfd242cd84e65e103b6e9bc90e3005d1a8546c87b36e81ab33b1a4562c1e5c

SHA512
9a4c9b25af97b1174160b701ab220534136eb42be56f45ba7c2a22930c075adbdae07d5220446d721c5dcdae94607211123e14c5a891c746fc72391663363723

Download Submit
memory/1400-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1400-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/1400-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1400-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3260-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3260-14-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/3260-20-0x0000000001680000-0x00000000016FE000-memory.dmp

Filesize
504KB

Download
memory/3260-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3260-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download