aa6a25721fa4a71e939f88c09bde15b1b1d8097a8ff39b11bac0b7edfa4a0d80

General

Target

1b854ff428d213cf6027aabf80f94008.exe
Size

1000KB
MD5

1b854ff428d213cf6027aabf80f94008
SHA1

b3c7eb47bc161d0069c546daa35a46648b70f2cd
SHA256

aa6a25721fa4a71e939f88c09bde15b1b1d8097a8ff39b11bac0b7edfa4a0d80
SHA512

a94de60ecc30e9787ef0c1e22016eb9da71579139d2db9c82208fbd068bda7ffe0faccf1859e052852d31a45e82430079c82ebd82235a1a0add784d25e8aed23
SSDEEP

24576:aKd2/xq6VecWfa5sHGdqRDoeY7d15ipq1B+5vMiqt0gj2ed:ZY/xq64Vfa5sHGdqRDoeY7dvipgqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1724	1b854ff428d213cf6027aabf80f94008.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	1b854ff428d213cf6027aabf80f94008.exe

Loads dropped DLL 1 IoCs

pid	Process
1876	1b854ff428d213cf6027aabf80f94008.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1724	1b854ff428d213cf6027aabf80f94008.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1724	1b854ff428d213cf6027aabf80f94008.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1876	1b854ff428d213cf6027aabf80f94008.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1876	1b854ff428d213cf6027aabf80f94008.exe
1724	1b854ff428d213cf6027aabf80f94008.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1724	1876	1b854ff428d213cf6027aabf80f94008.exe	16
PID 1876 wrote to memory of 1724	1876	1b854ff428d213cf6027aabf80f94008.exe	16
PID 1876 wrote to memory of 1724	1876	1b854ff428d213cf6027aabf80f94008.exe	16
PID 1876 wrote to memory of 1724	1876	1b854ff428d213cf6027aabf80f94008.exe	16
PID 1724 wrote to memory of 2888	1724	1b854ff428d213cf6027aabf80f94008.exe	15
PID 1724 wrote to memory of 2888	1724	1b854ff428d213cf6027aabf80f94008.exe	15
PID 1724 wrote to memory of 2888	1724	1b854ff428d213cf6027aabf80f94008.exe	15
PID 1724 wrote to memory of 2888	1724	1b854ff428d213cf6027aabf80f94008.exe	15

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2888

C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe
C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe
"C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe

Filesize
92KB

MD5
bd4e44f896906fe1a44073d359c7652c

SHA1
d8bffb5b4fa1d90c69df0bbbc8c1c10c1ca99d64

SHA256
d52f0964f917d80049e4fe2111b2b8811b074199d355382f1ba83345cb84ebf9

SHA512
a255c04238d0e5a41bd800e6d86275a8fab83ea63051b09dfb645beb89bfd901e1172f4de2a8f275e83f87c76c52b54a63cd1cfa1a8b1fe52e44e77b1c33bb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1299.tmp

Filesize
5KB

MD5
cda6cd8278faa9dc7d7221c396481e93

SHA1
1abe3dc819375dcbcf9e5fa62500b7ebca415293

SHA256
38e42d2e7cab60ff793f492ccf40267414dc1ff82202b428884a53be48a583fe

SHA512
61ef1e3f08d5a77c50f511a2e0d46a505574c16078d302bd4053c08a370a83eb9d011adba297a603658241106e6c4f1d9db9f8ec55dddcdb43ca77423ab4c119

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12AB.tmp

Filesize
92KB

MD5
71e4ce8b3a1b89f335a6936bbdafce4c

SHA1
6e0d450eb5f316a9924b3e58445b26bfb727001e

SHA256
a5edfae1527d0c8d9fe5e7a2c5c21b671e61f9981f3bcf9e8cc9f9bb9f3b44c5

SHA512
b80af88699330e1ff01e409daabdedeef350fe7d192724dfa8622afa71e132076144175f6e097f8136f1bba44c7cb30cfdd0414dbe4e0a4712b3bad7b70aeff7

Download Submit
\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe

Filesize
70KB

MD5
9c394e897335e1b2dbed7e9a05972dc5

SHA1
715860e592c70e849806baf9eda210453005aa74

SHA256
163c4531b874c7a62c2aa1b4e4d767a77e1c1a64f7f48b241aa00771d7c19531

SHA512
1c878c28eee5a36b63f68edd5e52aefcab6ed439256c6e8106647bcde812351e7e2bfd46bd2f00e1ff3e844cebe54537f5260b8b8d9659a27442734643a19dd1

Download Submit
memory/1724-19-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1724-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1724-21-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download
memory/1724-29-0x0000000001520000-0x000000000159E000-memory.dmp

Filesize
504KB

Download
memory/1724-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1876-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1876-2-0x0000000000320000-0x00000000003A3000-memory.dmp

Filesize
524KB

Download
memory/1876-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1876-17-0x0000000002BB0000-0x0000000002C33000-memory.dmp

Filesize
524KB

Download
memory/1876-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads