95e37b1407516365c0a7345abd128443d27bc4810866ee985cd2ca2695ce91f2

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d378cae60f385be83748e9d64d823d9.exe
Size

506KB
MD5

0d378cae60f385be83748e9d64d823d9
SHA1

2908b6cd0ea103d677bdd28f20d39b6fd9b1d899
SHA256

95e37b1407516365c0a7345abd128443d27bc4810866ee985cd2ca2695ce91f2
SHA512

4b59a98be3508dcbbf5ecec79c5386085a6fb1092ee762ae5988e490e3e7719ca09f16ebe1bb3e3ae58688458dddb27a5c6d0546d73c54855bdf0cb0fd518661
SSDEEP

12288:XCeezHRa9nSEpf+6op4lPrteJUOZenhaJbKTyduhAeRJobkHYY9h2WAWsT:VWHI9nhGz2PpeJUOwhEbcyduhAeRJ2ko

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2252	0d378cae60f385be83748e9d64d823d9.exe

Executes dropped EXE 1 IoCs

pid	Process
2252	0d378cae60f385be83748e9d64d823d9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2252	0d378cae60f385be83748e9d64d823d9.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2252	0d378cae60f385be83748e9d64d823d9.exe
2252	0d378cae60f385be83748e9d64d823d9.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
336	0d378cae60f385be83748e9d64d823d9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
336	0d378cae60f385be83748e9d64d823d9.exe
2252	0d378cae60f385be83748e9d64d823d9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 2252	336	0d378cae60f385be83748e9d64d823d9.exe	58
PID 336 wrote to memory of 2252	336	0d378cae60f385be83748e9d64d823d9.exe	58
PID 336 wrote to memory of 2252	336	0d378cae60f385be83748e9d64d823d9.exe	58
PID 2252 wrote to memory of 4740	2252	0d378cae60f385be83748e9d64d823d9.exe	77
PID 2252 wrote to memory of 4740	2252	0d378cae60f385be83748e9d64d823d9.exe	77
PID 2252 wrote to memory of 4740	2252	0d378cae60f385be83748e9d64d823d9.exe	77

C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe
"C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe
  C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe

Filesize
506KB

MD5
1a800ba67dcdadf011170eb2cc9f4d03

SHA1
0f55bb6e53491eefc4d881dfc352a6406d5ca533

SHA256
33b074134e4e1da2bff47a41d4f24b1f9fe1ae5427728c00b086f0fde35c05c4

SHA512
7f656f395a500fec162609c511dab8cb5ffec1ac9d6c5ffa50d0558815be1dec76e69f878f96859a42ca2bfef66d8d41cbbde42c5d738b8ea21dc46171da9bc0

Download Submit
memory/336-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/336-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/336-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/336-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2252-19-0x0000000004F40000-0x0000000004FBE000-memory.dmp

Filesize
504KB

Download
memory/2252-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2252-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2252-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download