6fa66095e2a47acab14a9780200a18a06241e0130b1ed71645d8fe1dfd9eefe9

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ede4cb539d18eff602baa20fdef459a.exe
Size

506KB
MD5

0ede4cb539d18eff602baa20fdef459a
SHA1

e0fadb85dc5250f8b2e1b3ae7b9c83a149ed105e
SHA256

6fa66095e2a47acab14a9780200a18a06241e0130b1ed71645d8fe1dfd9eefe9
SHA512

4fb8d01baa64328af4e34be52778508a9370eb6f0ea4d8b79c5db8538dd177918d09b584d1207a609a1429c8cfe200f1a1bdc793a5a1ceb353327b0f4b9f8d66
SSDEEP

12288:6m5aghmSWYdVJpvC+kmiAeb1MH35cqSgQ70zbU3SvMY:b5JhRPivb1MH3+lZQY31Y

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2904	0ede4cb539d18eff602baa20fdef459a.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	0ede4cb539d18eff602baa20fdef459a.exe

Loads dropped DLL 1 IoCs

pid	Process
2412	0ede4cb539d18eff602baa20fdef459a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2904	0ede4cb539d18eff602baa20fdef459a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2904	0ede4cb539d18eff602baa20fdef459a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2412	0ede4cb539d18eff602baa20fdef459a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2412	0ede4cb539d18eff602baa20fdef459a.exe
2904	0ede4cb539d18eff602baa20fdef459a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2904	2412	0ede4cb539d18eff602baa20fdef459a.exe	16
PID 2412 wrote to memory of 2904	2412	0ede4cb539d18eff602baa20fdef459a.exe	16
PID 2412 wrote to memory of 2904	2412	0ede4cb539d18eff602baa20fdef459a.exe	16
PID 2412 wrote to memory of 2904	2412	0ede4cb539d18eff602baa20fdef459a.exe	16
PID 2904 wrote to memory of 2252	2904	0ede4cb539d18eff602baa20fdef459a.exe	15
PID 2904 wrote to memory of 2252	2904	0ede4cb539d18eff602baa20fdef459a.exe	15
PID 2904 wrote to memory of 2252	2904	0ede4cb539d18eff602baa20fdef459a.exe	15
PID 2904 wrote to memory of 2252	2904	0ede4cb539d18eff602baa20fdef459a.exe	15

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2252

C:\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exe
C:\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2904

C:\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exe
"C:\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exe

Filesize
92KB

MD5
9c4ae14bbe24d298cd0840c80e287fa7

SHA1
628c4a6d4bc8b52575481af97d27683b6c173c8a

SHA256
c7b459503bfb2ae34a2e71599b976148cc5599cc0b23cea6be53e5a83572dbca

SHA512
2dfc2d4cdb83c677cba78fa62d3703a553999ef59aa980ea97f49f09b7f84ccfca622522cada9142aa947e0accc4592ba10d9b4b72d57387f6c7e42de393f34d

Download Submit
\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exe

Filesize
93KB

MD5
e9c60cd13b65b8a11c8387171c7ff1ba

SHA1
4e203c73baeb6dc5950b05bcbd219669dd0cf95b

SHA256
5cb3d3e9369199c227fbed2c11d05b947fd0b816241b6157de038ef65e123d9f

SHA512
9c4b082c13881e08bdefb361d4a4a8947d9ec2befe9856e3247e8dd2b5e5dc624d38d3249509382a3a8a6ae0960f6e0b17dddf9c96dd484b039b514cfe0f2695

Download Submit
memory/2412-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2412-2-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/2412-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2412-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2904-16-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2904-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2904-25-0x0000000001600000-0x000000000167E000-memory.dmp

Filesize
504KB

Download
memory/2904-18-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download
memory/2904-66-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download