0a5b9e27c512d8f860eaaa499e02a995f034ebee760b5315c66928b7a0c926db

General

Target

171464b68f7432720961f583a4928868.exe
Size

241KB
MD5

171464b68f7432720961f583a4928868
SHA1

b341102bc44063f0fab70d4d8bcf9e798fdf1dd1
SHA256

0a5b9e27c512d8f860eaaa499e02a995f034ebee760b5315c66928b7a0c926db
SHA512

9ed73db47c8d08340054ad11bbf0b962e863714acf615cc0142173f3f4197a8655ff9b0fd228cf9dc15cf2cf0cf11f96189e53e1d2aaaf985a837b80c3a7058b
SSDEEP

6144:LaIAwNDPyETk6gaYSJqMXmFJk+vtRvpa9lMH:LaIAAjcZZM+Jk4tfaTs

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2004	171464b68f7432720961f583a4928868.exe

Executes dropped EXE 1 IoCs

pid	Process
2004	171464b68f7432720961f583a4928868.exe

Loads dropped DLL 1 IoCs

pid	Process
848	171464b68f7432720961f583a4928868.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2004	171464b68f7432720961f583a4928868.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2004	171464b68f7432720961f583a4928868.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
848	171464b68f7432720961f583a4928868.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
848	171464b68f7432720961f583a4928868.exe
2004	171464b68f7432720961f583a4928868.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2004	848	171464b68f7432720961f583a4928868.exe	16
PID 848 wrote to memory of 2004	848	171464b68f7432720961f583a4928868.exe	16
PID 848 wrote to memory of 2004	848	171464b68f7432720961f583a4928868.exe	16
PID 848 wrote to memory of 2004	848	171464b68f7432720961f583a4928868.exe	16
PID 2004 wrote to memory of 2784	2004	171464b68f7432720961f583a4928868.exe	15
PID 2004 wrote to memory of 2784	2004	171464b68f7432720961f583a4928868.exe	15
PID 2004 wrote to memory of 2784	2004	171464b68f7432720961f583a4928868.exe	15
PID 2004 wrote to memory of 2784	2004	171464b68f7432720961f583a4928868.exe	15

C:\Users\Admin\AppData\Local\Temp\171464b68f7432720961f583a4928868.exe
"C:\Users\Admin\AppData\Local\Temp\171464b68f7432720961f583a4928868.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\171464b68f7432720961f583a4928868.exe
  C:\Users\Admin\AppData\Local\Temp\171464b68f7432720961f583a4928868.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\171464b68f7432720961f583a4928868.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\171464b68f7432720961f583a4928868.exe

Filesize
38KB

MD5
35c14d9a39ef4388924891d99d6352d3

SHA1
bacd5767792b789decb133f4b1a5ce72d59a123d

SHA256
f7f236b4bf43430a8d9b2d1af8d91ca1651d886e32d472cfb6d370b4c00da13a

SHA512
ef6810668bd0b5fd3594f2b9938decbf1eb4412ff241335c0657bffb44b954558fa932787233b63b7d334617e92966f2599db2737991fdc5bbf61d57069f99b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab408B.tmp

Filesize
54KB

MD5
ebcc6e09183ea790741471eaed81ec48

SHA1
c7ba0a06e948285ee67f5a7797ad7b0c57794497

SHA256
536e1bba5265250f725e9ad4ba8bb574273e96480229f1cb823cf88a11262649

SHA512
363dde834552e4740d3149c7d7a0cbbf22416983871162796b5f7f57312820bae3488dda97bae5dbbc851c976d72e24e42184d1dc1b768a775dbfd2b30a05ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar40CD.tmp

Filesize
45KB

MD5
48b15d2fd6fa9928f51770c2c10af4d5

SHA1
3bc1ecd61fae1cab2e71681ec56ec719d1b329ce

SHA256
f08d41d850e85db1a9f97b723cb60d64f8591532ff74425958e104e7d2c5e9d2

SHA512
17a90816527e50224b82325e74bb723820d280cc9b9880079c39fd9c60a252f657a0a527f5637593928bb6b609f24d5225152d359ea59b875842b560cd2184b6

Download Submit
\Users\Admin\AppData\Local\Temp\171464b68f7432720961f583a4928868.exe

Filesize
79KB

MD5
31add8167e03bee5d096fca84a7f37c0

SHA1
0b5db4041ede544e66aa0fea4a44823c9848c966

SHA256
c2823b883e80bae11c016f353c61e10d4bdd56c2eb47fd2d08d2b0e88c3e94af

SHA512
29aeb2fa87ec43fa8a9bc3a985fe091b4ec236d1958cd83f2fa6fea4caf009f6598c1451f554077e32a21a77554c27a643a3e85cfe1577547aad2e115b194b49

Download Submit
memory/848-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/848-15-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download
memory/848-2-0x0000000000240000-0x00000000002F7000-memory.dmp

Filesize
732KB

Download
memory/848-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/848-1-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2004-28-0x0000000002D40000-0x0000000002DA6000-memory.dmp

Filesize
408KB

Download
memory/2004-18-0x0000000000190000-0x0000000000247000-memory.dmp

Filesize
732KB

Download
memory/2004-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2004-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads