aa6a25721fa4a71e939f88c09bde15b1b1d8097a8ff39b11bac0b7edfa4a0d80

Analysis

max time kernel
140s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b854ff428d213cf6027aabf80f94008.exe
Size

1000KB
MD5

1b854ff428d213cf6027aabf80f94008
SHA1

b3c7eb47bc161d0069c546daa35a46648b70f2cd
SHA256

aa6a25721fa4a71e939f88c09bde15b1b1d8097a8ff39b11bac0b7edfa4a0d80
SHA512

a94de60ecc30e9787ef0c1e22016eb9da71579139d2db9c82208fbd068bda7ffe0faccf1859e052852d31a45e82430079c82ebd82235a1a0add784d25e8aed23
SSDEEP

24576:aKd2/xq6VecWfa5sHGdqRDoeY7d15ipq1B+5vMiqt0gj2ed:ZY/xq64Vfa5sHGdqRDoeY7dvipgqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
236	1b854ff428d213cf6027aabf80f94008.exe

Executes dropped EXE 1 IoCs

pid	Process
236	1b854ff428d213cf6027aabf80f94008.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
236	1b854ff428d213cf6027aabf80f94008.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
236	1b854ff428d213cf6027aabf80f94008.exe
236	1b854ff428d213cf6027aabf80f94008.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3988	1b854ff428d213cf6027aabf80f94008.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3988	1b854ff428d213cf6027aabf80f94008.exe
236	1b854ff428d213cf6027aabf80f94008.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 236	3988	1b854ff428d213cf6027aabf80f94008.exe	91
PID 3988 wrote to memory of 236	3988	1b854ff428d213cf6027aabf80f94008.exe	91
PID 3988 wrote to memory of 236	3988	1b854ff428d213cf6027aabf80f94008.exe	91
PID 236 wrote to memory of 1092	236	1b854ff428d213cf6027aabf80f94008.exe	92
PID 236 wrote to memory of 1092	236	1b854ff428d213cf6027aabf80f94008.exe	92
PID 236 wrote to memory of 1092	236	1b854ff428d213cf6027aabf80f94008.exe	92

C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe
"C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe
  C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:236
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe

Filesize
1000KB

MD5
cb53168d802fe1a56487156d8d5790c9

SHA1
234a2b0383f18af455ca5ea219ed4d6728e51dd4

SHA256
66c2c9082f0056838fc86d90a9441df05ae990265c5903f7a347aebd678c6c1a

SHA512
dfa262263b39c26c872d8375c05c643dba89853fc86fed92349360728fc525d6d40ce817afba2017228760075dd85e690ab0448daef6d80571009d37fb875815

Download Submit
memory/236-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/236-20-0x0000000004F50000-0x0000000004FCE000-memory.dmp

Filesize
504KB

Download
memory/236-15-0x0000000001560000-0x00000000015E3000-memory.dmp

Filesize
524KB

Download
memory/236-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/236-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3988-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3988-1-0x0000000001670000-0x00000000016F3000-memory.dmp

Filesize
524KB

Download
memory/3988-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3988-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download