bc4da93ba2cc9d86f3503d39bdb5a2f49e791655418fb56ef7c7d25b67f3151a

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1680589563b03c2d726c81b11d62c0bf.exe
Size

506KB
MD5

1680589563b03c2d726c81b11d62c0bf
SHA1

4c3df47d45e0354a91e0964d77c1536871f7f26c
SHA256

bc4da93ba2cc9d86f3503d39bdb5a2f49e791655418fb56ef7c7d25b67f3151a
SHA512

88cb05355bd662b1feb39b0e5b46f192fec56ce4076d4413a2f10c78ea0b9661e76c5381f2238ef07a2c626c29d352a45d2372c6b911effd822084ad07eea607
SSDEEP

12288:DJzkBuzfn3YALa9Hg4OSiOGxJn6VMMjozxFUannBUvD0djZLS:hbLnHv67j4xFUanBVdlu

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2476	1680589563b03c2d726c81b11d62c0bf.exe

Executes dropped EXE 1 IoCs

pid	Process
2476	1680589563b03c2d726c81b11d62c0bf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2476	1680589563b03c2d726c81b11d62c0bf.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2476	1680589563b03c2d726c81b11d62c0bf.exe
2476	1680589563b03c2d726c81b11d62c0bf.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2504	1680589563b03c2d726c81b11d62c0bf.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2504	1680589563b03c2d726c81b11d62c0bf.exe
2476	1680589563b03c2d726c81b11d62c0bf.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2476	2504	1680589563b03c2d726c81b11d62c0bf.exe	91
PID 2504 wrote to memory of 2476	2504	1680589563b03c2d726c81b11d62c0bf.exe	91
PID 2504 wrote to memory of 2476	2504	1680589563b03c2d726c81b11d62c0bf.exe	91
PID 2476 wrote to memory of 2632	2476	1680589563b03c2d726c81b11d62c0bf.exe	92
PID 2476 wrote to memory of 2632	2476	1680589563b03c2d726c81b11d62c0bf.exe	92
PID 2476 wrote to memory of 2632	2476	1680589563b03c2d726c81b11d62c0bf.exe	92

C:\Users\Admin\AppData\Local\Temp\1680589563b03c2d726c81b11d62c0bf.exe
"C:\Users\Admin\AppData\Local\Temp\1680589563b03c2d726c81b11d62c0bf.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\1680589563b03c2d726c81b11d62c0bf.exe
  C:\Users\Admin\AppData\Local\Temp\1680589563b03c2d726c81b11d62c0bf.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1680589563b03c2d726c81b11d62c0bf.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1680589563b03c2d726c81b11d62c0bf.exe

Filesize
506KB

MD5
3afc5ab381e9259e39b1426497e82f09

SHA1
1162224ad6ea130e2cbfef8f414763bd4e9d4da8

SHA256
1830431442972e92b81970400fd1f9c1137111bba4eb0a6c3bc3a4304005acd8

SHA512
8f352cf67bd2aa9ce315625bb95ba2ff02c095c1be00d382e8768f2132f5eecbd5de54efc85c0da8ebb0216a3e3b97f19c5758d4a0e363c0e791bb8a1a3b31f8

Download Submit
memory/2476-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2476-16-0x0000000001650000-0x00000000016D3000-memory.dmp

Filesize
524KB

Download
memory/2476-20-0x0000000004FA0000-0x000000000501E000-memory.dmp

Filesize
504KB

Download
memory/2476-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2476-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2504-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2504-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2504-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2504-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download