1c5c2f23fa6baac047fb27abc757b6ca7494019a867f4284a421b630f1977e1c

General

Target

1770f0e6e58be02a1d146c351580f6a6.exe
Size

506KB
MD5

1770f0e6e58be02a1d146c351580f6a6
SHA1

a87338446d40d41172baabb7337624cad431aa32
SHA256

1c5c2f23fa6baac047fb27abc757b6ca7494019a867f4284a421b630f1977e1c
SHA512

bc7ac70bc9e10c54fa6d336b25b57335a30169df2c7ad02cb3110ede55ef378448a4b175bfc3a67451771c3144a17b9732a8c8fc2e5690d2d0c3fc5e11861aa7
SSDEEP

12288:xc9MslxaqopboMatEJ9UicUyqxyQPU9FfZIe9hBj3km:yuslxgozU9vcUPxyQPU9FhIe7Bl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2820	1770f0e6e58be02a1d146c351580f6a6.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	1770f0e6e58be02a1d146c351580f6a6.exe

Loads dropped DLL 1 IoCs

pid	Process
2880	1770f0e6e58be02a1d146c351580f6a6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2820	1770f0e6e58be02a1d146c351580f6a6.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2820	1770f0e6e58be02a1d146c351580f6a6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2880	1770f0e6e58be02a1d146c351580f6a6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2880	1770f0e6e58be02a1d146c351580f6a6.exe
2820	1770f0e6e58be02a1d146c351580f6a6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2820	2880	1770f0e6e58be02a1d146c351580f6a6.exe	23
PID 2880 wrote to memory of 2820	2880	1770f0e6e58be02a1d146c351580f6a6.exe	23
PID 2880 wrote to memory of 2820	2880	1770f0e6e58be02a1d146c351580f6a6.exe	23
PID 2880 wrote to memory of 2820	2880	1770f0e6e58be02a1d146c351580f6a6.exe	23
PID 2820 wrote to memory of 2584	2820	1770f0e6e58be02a1d146c351580f6a6.exe	28
PID 2820 wrote to memory of 2584	2820	1770f0e6e58be02a1d146c351580f6a6.exe	28
PID 2820 wrote to memory of 2584	2820	1770f0e6e58be02a1d146c351580f6a6.exe	28
PID 2820 wrote to memory of 2584	2820	1770f0e6e58be02a1d146c351580f6a6.exe	28

C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe
"C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe
  C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe

Filesize
229KB

MD5
00cce72b490b7c0769182d2a7b5a2ab0

SHA1
82ee9201c6245ace2ba797cd3e19435e756da9b1

SHA256
d8de187749ae35962e0056ed132dbba368e2f3e94627a2f04846ccadefa1d237

SHA512
f6fa120d46cad1cafde818eff2191d087315b16c97e43319cdc61319433d6b8b9f2cd869e0c9424a875192d38a7404ddb4d7f33ede31bd416571c4485ca357d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar29E3.tmp

Filesize
129KB

MD5
c933d38769e8070c3c03dd5082ca44dd

SHA1
b63d31b0c48f31d56227a3a055fba4dd658952a8

SHA256
d6702d988b0e9a02c2f7f6c84d1d778c5fbc82638875201129125e20327b4b17

SHA512
97ab47de836eb9fcf51ae0f8966d2c5d0f475d4c0cf4154fa4a8d389019d068252f2f4e9c3692622c2a4cdf271ba3d159f434f8db29419d082ce04f52192d577

Download Submit
\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe

Filesize
259KB

MD5
9b339ac1771b691666a3496f30b50fd1

SHA1
ff4727f282821b1d25e28b0b13f668301e062b11

SHA256
ea1986705f1975dd84b49a01001b3ee3b25745a59fe816a1f86f84a17b1d74ff

SHA512
df351684b94bf3df28c643284d5880e07d19080c55f7d86697fc59f556e30bc62aa785924918a1b72ff8c6b6285ea501e9fd6e720ab4b7d4e737c707c9d9e370

Download Submit
memory/2820-18-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/2820-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2820-29-0x0000000002D50000-0x0000000002DCE000-memory.dmp

Filesize
504KB

Download
memory/2820-21-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2820-67-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2880-15-0x0000000001520000-0x00000000015A3000-memory.dmp

Filesize
524KB

Download
memory/2880-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2880-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2880-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2880-2-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads