1c5c2f23fa6baac047fb27abc757b6ca7494019a867f4284a421b630f1977e1c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 22:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1770f0e6e58be02a1d146c351580f6a6.exe
Size

506KB
MD5

1770f0e6e58be02a1d146c351580f6a6
SHA1

a87338446d40d41172baabb7337624cad431aa32
SHA256

1c5c2f23fa6baac047fb27abc757b6ca7494019a867f4284a421b630f1977e1c
SHA512

bc7ac70bc9e10c54fa6d336b25b57335a30169df2c7ad02cb3110ede55ef378448a4b175bfc3a67451771c3144a17b9732a8c8fc2e5690d2d0c3fc5e11861aa7
SSDEEP

12288:xc9MslxaqopboMatEJ9UicUyqxyQPU9FfZIe9hBj3km:yuslxgozU9vcUPxyQPU9FhIe7Bl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1552	1770f0e6e58be02a1d146c351580f6a6.exe

Executes dropped EXE 1 IoCs

pid	Process
1552	1770f0e6e58be02a1d146c351580f6a6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1552	1770f0e6e58be02a1d146c351580f6a6.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1552	1770f0e6e58be02a1d146c351580f6a6.exe
1552	1770f0e6e58be02a1d146c351580f6a6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4936	1770f0e6e58be02a1d146c351580f6a6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4936	1770f0e6e58be02a1d146c351580f6a6.exe
1552	1770f0e6e58be02a1d146c351580f6a6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 1552	4936	1770f0e6e58be02a1d146c351580f6a6.exe	88
PID 4936 wrote to memory of 1552	4936	1770f0e6e58be02a1d146c351580f6a6.exe	88
PID 4936 wrote to memory of 1552	4936	1770f0e6e58be02a1d146c351580f6a6.exe	88
PID 1552 wrote to memory of 4660	1552	1770f0e6e58be02a1d146c351580f6a6.exe	92
PID 1552 wrote to memory of 4660	1552	1770f0e6e58be02a1d146c351580f6a6.exe	92
PID 1552 wrote to memory of 4660	1552	1770f0e6e58be02a1d146c351580f6a6.exe	92

C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe
"C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe
  C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1770f0e6e58be02a1d146c351580f6a6.exe

Filesize
506KB

MD5
0a4a740b65e286d0eed5639d1f2cc5ba

SHA1
a0f64e57d6c6b40e33314970639b2bbe89fc7e69

SHA256
623dfbf1624b3e73292f8391fdc627de0abbcd267a4ad07ba84a87205b2d12d1

SHA512
74ef7b2d280e08465c5dffcdfefd00ce4c239115dfa6d516f665e9b1175a6a76cc1c32f06a22dcf3517d12fae2bb453355da27c5575e943de6793412bf430960

Download Submit
memory/1552-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1552-16-0x0000000001630000-0x00000000016B3000-memory.dmp

Filesize
524KB

Download
memory/1552-21-0x0000000004F20000-0x0000000004F9E000-memory.dmp

Filesize
504KB

Download
memory/1552-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1552-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4936-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4936-1-0x00000000016B0000-0x0000000001733000-memory.dmp

Filesize
524KB

Download
memory/4936-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4936-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download