Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 00:49
Static task
static1
Behavioral task
behavioral1
Sample
e05f9e6d5133b000e29bd1f967df4d72.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e05f9e6d5133b000e29bd1f967df4d72.exe
Resource
win10v2004-20240226-en
General
-
Target
e05f9e6d5133b000e29bd1f967df4d72.exe
-
Size
1000KB
-
MD5
e05f9e6d5133b000e29bd1f967df4d72
-
SHA1
b577943f378c37a2920d50d6f7bd91c8a71adbe7
-
SHA256
3c26d0be235b357ee8943880612abfcf0dc2ab61ca521e25deddaf541a560b95
-
SHA512
eb9ce56bbf5794398995773d58a21d18dfc45b38043b4538886b3da0692773ebb8e12bc4cdddedb2e99ec7b81f2323bf60da037b16012940f2fea8fda3f3bc24
-
SSDEEP
24576:cGaLG/yJAlyyLfB8Hq6kG1B+5vMiqt0gj2ed:cIxkqOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2016 e05f9e6d5133b000e29bd1f967df4d72.exe -
Executes dropped EXE 1 IoCs
pid Process 2016 e05f9e6d5133b000e29bd1f967df4d72.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 15 pastebin.com 23 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2016 e05f9e6d5133b000e29bd1f967df4d72.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3052 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2016 e05f9e6d5133b000e29bd1f967df4d72.exe 2016 e05f9e6d5133b000e29bd1f967df4d72.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4024 e05f9e6d5133b000e29bd1f967df4d72.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4024 e05f9e6d5133b000e29bd1f967df4d72.exe 2016 e05f9e6d5133b000e29bd1f967df4d72.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4024 wrote to memory of 2016 4024 e05f9e6d5133b000e29bd1f967df4d72.exe 88 PID 4024 wrote to memory of 2016 4024 e05f9e6d5133b000e29bd1f967df4d72.exe 88 PID 4024 wrote to memory of 2016 4024 e05f9e6d5133b000e29bd1f967df4d72.exe 88 PID 2016 wrote to memory of 3052 2016 e05f9e6d5133b000e29bd1f967df4d72.exe 91 PID 2016 wrote to memory of 3052 2016 e05f9e6d5133b000e29bd1f967df4d72.exe 91 PID 2016 wrote to memory of 3052 2016 e05f9e6d5133b000e29bd1f967df4d72.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\e05f9e6d5133b000e29bd1f967df4d72.exe"C:\Users\Admin\AppData\Local\Temp\e05f9e6d5133b000e29bd1f967df4d72.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\e05f9e6d5133b000e29bd1f967df4d72.exeC:\Users\Admin\AppData\Local\Temp\e05f9e6d5133b000e29bd1f967df4d72.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\e05f9e6d5133b000e29bd1f967df4d72.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:3052
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD5829eb2f2733fedc8f3dbffe357ee8601
SHA17901d8393e4683f8474362563f2a36f175a7827a
SHA2560dba62ae95b937ba674be5a4fa8c53b86d14422b7d9cfc6096cfa0228451e5a4
SHA512e442f4aea1dbb16d92715e777c16c8285e4a19802c207bc724353b6117d0b7b3c1c08ddb106454f0e4d92707bcd4eb2810c864b7a79d9abbae0e3aaa73996c91