eb3ddd325557474770374aae2aff25f1b5f3d99115b3fcccf1bdeb90dc6aee78

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0688754d8597f0ff5d0788792ee3495.exe
Size

1000KB
MD5

e0688754d8597f0ff5d0788792ee3495
SHA1

62ded93aa338addfe4490ac21173540673563c72
SHA256

eb3ddd325557474770374aae2aff25f1b5f3d99115b3fcccf1bdeb90dc6aee78
SHA512

d2840ecc6198db95b2a52ae6ab6679ece44890f3b8b8c9b4a6e00f1a5560e42e765007539a02be828197cce43982751fe5d82f0d61244a795f2368a70e0569ab
SSDEEP

12288:hhye1a8yswWKkZLxbKPqjPwbhnGMzx3I+ECaBwQ2tb5JLrnylUPqt0gHDS7eyod:/H2YKCTwbhnGEx3It1B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4804	e0688754d8597f0ff5d0788792ee3495.exe

Executes dropped EXE 1 IoCs

pid	Process
4804	e0688754d8597f0ff5d0788792ee3495.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com
16	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4804	e0688754d8597f0ff5d0788792ee3495.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4804	e0688754d8597f0ff5d0788792ee3495.exe
4804	e0688754d8597f0ff5d0788792ee3495.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1268	e0688754d8597f0ff5d0788792ee3495.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1268	e0688754d8597f0ff5d0788792ee3495.exe
4804	e0688754d8597f0ff5d0788792ee3495.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 4804	1268	e0688754d8597f0ff5d0788792ee3495.exe	93
PID 1268 wrote to memory of 4804	1268	e0688754d8597f0ff5d0788792ee3495.exe	93
PID 1268 wrote to memory of 4804	1268	e0688754d8597f0ff5d0788792ee3495.exe	93
PID 4804 wrote to memory of 4668	4804	e0688754d8597f0ff5d0788792ee3495.exe	96
PID 4804 wrote to memory of 4668	4804	e0688754d8597f0ff5d0788792ee3495.exe	96
PID 4804 wrote to memory of 4668	4804	e0688754d8597f0ff5d0788792ee3495.exe	96

C:\Users\Admin\AppData\Local\Temp\e0688754d8597f0ff5d0788792ee3495.exe
"C:\Users\Admin\AppData\Local\Temp\e0688754d8597f0ff5d0788792ee3495.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\e0688754d8597f0ff5d0788792ee3495.exe
  C:\Users\Admin\AppData\Local\Temp\e0688754d8597f0ff5d0788792ee3495.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\e0688754d8597f0ff5d0788792ee3495.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1060 --field-trial-handle=2292,i,2927097380497635931,2014459809064723663,262144 --variations-seed-version /prefetch:8
1⤵
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e0688754d8597f0ff5d0788792ee3495.exe

Filesize
448KB

MD5
0d536c89852e029f148c16d7a799ee23

SHA1
8f274e0fcb168cba871625025f588bb225717491

SHA256
9859f2343ff5a962e032abbcbde3102dff9a297190b0dab1acc5c42e65a064d8

SHA512
4a402d854aab5bdb058c0b63b4588241fcb24750c82a7fabb48df9dcd3061feeacc8a5442ea935bd52e57ad9fe49f167c29fabee7298a5765d57e7ffbf05a5e5

Download Submit
memory/1268-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1268-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/1268-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1268-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4804-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4804-15-0x0000000001670000-0x00000000016F3000-memory.dmp

Filesize
524KB

Download
memory/4804-20-0x0000000004FA0000-0x000000000501E000-memory.dmp

Filesize
504KB

Download
memory/4804-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4804-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download