78e3e353c2bec57df7fcb893e759e853a13bc53190bdc560cbbccb371937aec8

General

Target

0cfc61c1ed000e0120ecfc5fc5e62eea.exe
Size

506KB
MD5

0cfc61c1ed000e0120ecfc5fc5e62eea
SHA1

e70e0e8ad71514e0edc2be6e5a28076c9cc5286e
SHA256

78e3e353c2bec57df7fcb893e759e853a13bc53190bdc560cbbccb371937aec8
SHA512

53613ea1a71ca22fc2f5f4de81b044b29db1c46901fe42f673cf84d10829dc103e451766afdf9942afa96a8f07c86f6a3e2b9ef7e7d02eacbedc25c6865e3446
SSDEEP

12288:sPkz9/h1wzcaVVjzR+afAzAyKE8LRR+j+vpoyC:1L1zS5zCcJEcfe4FC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2888	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Loads dropped DLL 1 IoCs

pid	Process
2520	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2888	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2888	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2520	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2520	0cfc61c1ed000e0120ecfc5fc5e62eea.exe
2888	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2888	2520	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	28
PID 2520 wrote to memory of 2888	2520	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	28
PID 2520 wrote to memory of 2888	2520	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	28
PID 2520 wrote to memory of 2888	2520	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	28
PID 2888 wrote to memory of 3052	2888	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	29
PID 2888 wrote to memory of 3052	2888	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	29
PID 2888 wrote to memory of 3052	2888	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	29
PID 2888 wrote to memory of 3052	2888	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	29

C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe
"C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe
  C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
41KB

MD5
73fb1e7d91f8e0fc09f34207c598126f

SHA1
1d826cf1380f7c3e1a71e3789ee330434701da8a

SHA256
767f91e3d2583a51f891f08eb2494179b736543289f5d55a9286eb446867d53a

SHA512
ebb036347519fe9193eadcacdfd6d1e54238e96a7da2b57d47cbd0ce980a9a2c4119e5d2405caa091214cd7b4c82daaa5b214c378d254629e57c825362c6f54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Filesize
175KB

MD5
6b56c209782b9e5e850e330e6f79588b

SHA1
db9fb0b6c601e8d1304091d5425a6d32579ce73f

SHA256
0c402d49c41e05efe0f570c9c4c7046543f26522d3632c341a63f9f326a01146

SHA512
f56a3aad9d77c87d2193b57144c1a7684003fc28ad7c4f76a4c9dc50045f47f80db9672b253cd58c7d7f4a5291a36ff78dce11b86932c33f9a06a5398e29b691

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4B09.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Filesize
337KB

MD5
dca599f099432ac626870bf22680edb9

SHA1
a0f1e23a66f8d36906a74e461861c0f278c0b843

SHA256
8b8be50b777df670298499d7280fb7f1d0601fdb1129e295508d7c914b1a0e8b

SHA512
2dc147b3f62acc4a9800fb1cba0c6f3a608796a625929f6fb632e9de009c987d7e73ed76f8dc47074e3ba47bbe22b326f768256cca181bb1be0865b1da5fdf59

Download Submit
memory/2520-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2520-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2520-2-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/2520-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2888-16-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2888-27-0x0000000002DB0000-0x0000000002E2E000-memory.dmp

Filesize
504KB

Download
memory/2888-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2888-18-0x0000000000230000-0x00000000002B3000-memory.dmp

Filesize
524KB

Download
memory/2888-66-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads