8e42bf5ee1d2b7104eb7c3f5a7e68d31480f4a371ff22d0d207494dd48546b00

Analysis

max time kernel
157s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 06:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0c92305fba2b555e233fb4c550f07a1a.exe
Size

241KB
MD5

0c92305fba2b555e233fb4c550f07a1a
SHA1

d5374850c94069688d1afcb0a4775080cacc6023
SHA256

8e42bf5ee1d2b7104eb7c3f5a7e68d31480f4a371ff22d0d207494dd48546b00
SHA512

f59acb1f44d857b61b3201143bf1b0765803f32875a1f3817a0bd27c75aa16400b9c02678929a889fd3cf19f5fa9bb2696d14681cd4d78e1ac92f277a30627b9
SSDEEP

6144:3Wkaqzd6WBi4S01j/apFq1jHIujEVRVC8FE+24Z0tbKIBy0:3W2Hi451DaeMujE88+IZgKV0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3536	0c92305fba2b555e233fb4c550f07a1a.exe

Executes dropped EXE 1 IoCs

pid	Process
3536	0c92305fba2b555e233fb4c550f07a1a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3536	0c92305fba2b555e233fb4c550f07a1a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3536	0c92305fba2b555e233fb4c550f07a1a.exe
3536	0c92305fba2b555e233fb4c550f07a1a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3008	0c92305fba2b555e233fb4c550f07a1a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3008	0c92305fba2b555e233fb4c550f07a1a.exe
3536	0c92305fba2b555e233fb4c550f07a1a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 3536	3008	0c92305fba2b555e233fb4c550f07a1a.exe	93
PID 3008 wrote to memory of 3536	3008	0c92305fba2b555e233fb4c550f07a1a.exe	93
PID 3008 wrote to memory of 3536	3008	0c92305fba2b555e233fb4c550f07a1a.exe	93
PID 3536 wrote to memory of 1676	3536	0c92305fba2b555e233fb4c550f07a1a.exe	94
PID 3536 wrote to memory of 1676	3536	0c92305fba2b555e233fb4c550f07a1a.exe	94
PID 3536 wrote to memory of 1676	3536	0c92305fba2b555e233fb4c550f07a1a.exe	94

C:\Users\Admin\AppData\Local\Temp\0c92305fba2b555e233fb4c550f07a1a.exe
"C:\Users\Admin\AppData\Local\Temp\0c92305fba2b555e233fb4c550f07a1a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\0c92305fba2b555e233fb4c550f07a1a.exe
  C:\Users\Admin\AppData\Local\Temp\0c92305fba2b555e233fb4c550f07a1a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0c92305fba2b555e233fb4c550f07a1a.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c92305fba2b555e233fb4c550f07a1a.exe

Filesize
241KB

MD5
a948f1ef3923d1813ada4e496ecf8894

SHA1
faf1318261c9c4977b62e383e741b2c1937ca0be

SHA256
56533efc2768c33606094e028ddbf1fd4228d78e528b5f64a68697c82e6f270b

SHA512
232227e52d1f1bdda792fac6be39f9c33784418ab057a73a423c7e092d6910ffe884f91d615e0b2f62024f302c71dcecce52af5bef766bed6f95d8d8d515b28a

Download Submit
memory/3008-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3008-1-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download
memory/3008-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3008-11-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3536-15-0x0000000001530000-0x00000000015E7000-memory.dmp

Filesize
732KB

Download
memory/3536-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3536-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3536-20-0x0000000004F50000-0x0000000004FB6000-memory.dmp

Filesize
408KB

Download
memory/3536-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download