75a6842f4147db418fd602e3e0e74b57de48dcc0e13617464a98cff9729ad5cb

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 22:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15f738ec1017beaef279cfcd464bd35c.exe
Size

506KB
MD5

15f738ec1017beaef279cfcd464bd35c
SHA1

1280a3e2ba20b81f447e1db58b95c5f05c1f63b1
SHA256

75a6842f4147db418fd602e3e0e74b57de48dcc0e13617464a98cff9729ad5cb
SHA512

30ae7f45504e16d3109d6b652fdb76bbb717ba54dc0d97b68e231b942725563122801be19ae8463dd13a42561979013459e5db73b009ca9dd4c892888dfecf07
SSDEEP

12288:wonNzYhjsWivNuStBpO/I7miKMpJaJzpCQ93HYTH2qC:woNKjsWivNTfO/Ymi7faNx0C

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4888	15f738ec1017beaef279cfcd464bd35c.exe

Executes dropped EXE 1 IoCs

pid	Process
4888	15f738ec1017beaef279cfcd464bd35c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4888	15f738ec1017beaef279cfcd464bd35c.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4888	15f738ec1017beaef279cfcd464bd35c.exe
4888	15f738ec1017beaef279cfcd464bd35c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4576	15f738ec1017beaef279cfcd464bd35c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4576	15f738ec1017beaef279cfcd464bd35c.exe
4888	15f738ec1017beaef279cfcd464bd35c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 4888	4576	15f738ec1017beaef279cfcd464bd35c.exe	26
PID 4576 wrote to memory of 4888	4576	15f738ec1017beaef279cfcd464bd35c.exe	26
PID 4576 wrote to memory of 4888	4576	15f738ec1017beaef279cfcd464bd35c.exe	26
PID 4888 wrote to memory of 4564	4888	15f738ec1017beaef279cfcd464bd35c.exe	41
PID 4888 wrote to memory of 4564	4888	15f738ec1017beaef279cfcd464bd35c.exe	41
PID 4888 wrote to memory of 4564	4888	15f738ec1017beaef279cfcd464bd35c.exe	41

C:\Users\Admin\AppData\Local\Temp\15f738ec1017beaef279cfcd464bd35c.exe
"C:\Users\Admin\AppData\Local\Temp\15f738ec1017beaef279cfcd464bd35c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\15f738ec1017beaef279cfcd464bd35c.exe
  C:\Users\Admin\AppData\Local\Temp\15f738ec1017beaef279cfcd464bd35c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\15f738ec1017beaef279cfcd464bd35c.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15f738ec1017beaef279cfcd464bd35c.exe

Filesize
61KB

MD5
2b6e505a58c50bfe3a62a8ab62bd6b5d

SHA1
c029e068b2da37e730802a1179cd7c8ba49beca1

SHA256
5c650ed613b89d46a06392d68720c82861bb8aa870a692e41c279b014a68f19f

SHA512
1a4c302e55672d08ed6e688b6e1f9838980592f89e9ffad3349ecca1026bd35cae8eff583dcd1bae58d3ac472312fdbb0d94890b29a14007f42e31d8fc21893d

Download Submit
memory/4576-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4576-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4576-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4576-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4888-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4888-15-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/4888-20-0x0000000004EF0000-0x0000000004F6E000-memory.dmp

Filesize
504KB

Download
memory/4888-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4888-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download