57def8d3882219c9989ecb7c4ba8b692d1beeb7eae965f1810722368bc69c893

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 07:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e112bc3d244d7e8b725758285da8469c.exe
Size

1000KB
MD5

e112bc3d244d7e8b725758285da8469c
SHA1

409eef1ad061b55ae68f76369820d67f39de1e48
SHA256

57def8d3882219c9989ecb7c4ba8b692d1beeb7eae965f1810722368bc69c893
SHA512

050206a506a638763d02fbb7014e0a38d3467ebdf96f88abdd61b2480a6d1d9cc7d914832bbb849e50acc67f861cc7b796054766ba0bba2d35fdc6ce2e8cfd19
SSDEEP

24576:Pf4dU3RJfqYRAhovIeIEd0n9w1B+5vMiqt0gj2ed:YWRJf/YUIeIEd0gqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1212	e112bc3d244d7e8b725758285da8469c.exe

Executes dropped EXE 1 IoCs

pid	Process
1212	e112bc3d244d7e8b725758285da8469c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	pastebin.com
45	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1212	e112bc3d244d7e8b725758285da8469c.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1212	e112bc3d244d7e8b725758285da8469c.exe
1212	e112bc3d244d7e8b725758285da8469c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1808	e112bc3d244d7e8b725758285da8469c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1808	e112bc3d244d7e8b725758285da8469c.exe
1212	e112bc3d244d7e8b725758285da8469c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1212	1808	e112bc3d244d7e8b725758285da8469c.exe	95
PID 1808 wrote to memory of 1212	1808	e112bc3d244d7e8b725758285da8469c.exe	95
PID 1808 wrote to memory of 1212	1808	e112bc3d244d7e8b725758285da8469c.exe	95
PID 1212 wrote to memory of 5100	1212	e112bc3d244d7e8b725758285da8469c.exe	98
PID 1212 wrote to memory of 5100	1212	e112bc3d244d7e8b725758285da8469c.exe	98
PID 1212 wrote to memory of 5100	1212	e112bc3d244d7e8b725758285da8469c.exe	98

C:\Users\Admin\AppData\Local\Temp\e112bc3d244d7e8b725758285da8469c.exe
"C:\Users\Admin\AppData\Local\Temp\e112bc3d244d7e8b725758285da8469c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\e112bc3d244d7e8b725758285da8469c.exe
  C:\Users\Admin\AppData\Local\Temp\e112bc3d244d7e8b725758285da8469c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\e112bc3d244d7e8b725758285da8469c.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2524 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e112bc3d244d7e8b725758285da8469c.exe

Filesize
1000KB

MD5
6d8021ed0542a8da85d2498976ded4d9

SHA1
71fb3791c2268d2b15fc325b343e73f5d5fbdb6a

SHA256
4b784d6fd60ef9a92030de83a39dd4f6e096937e3c50869c427c33eca08e1f17

SHA512
9575b915c014124e56fd68a54ee9c1191f59d5ad8175b5066a635d747b260d0539988f488c27368607324567bebc52bb65a739cc53a25a525fa97c672fd9d659

Download Submit
memory/1212-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1212-14-0x0000000001560000-0x00000000015E3000-memory.dmp

Filesize
524KB

Download
memory/1212-20-0x0000000004F50000-0x0000000004FCE000-memory.dmp

Filesize
504KB

Download
memory/1212-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1212-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1808-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1808-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/1808-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1808-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download