e9521682d9b447132a5e84aa75b84742438a3f65d592b3b5bd5cfea9b834370d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f3ace680f8970915f343bdc44bd8af0.exe
Size

242KB
MD5

0f3ace680f8970915f343bdc44bd8af0
SHA1

f86e80140e9e0c99c4c5f616c434f86ef4fc78a9
SHA256

e9521682d9b447132a5e84aa75b84742438a3f65d592b3b5bd5cfea9b834370d
SHA512

235d0eda2d22a8336b4d627d5901f7fe2962989986a3c7386fe40a473214c76424e83e9d9880d6e10c8bb534cc11dce5643a40e9a984b22ac6abf6280565dabc
SSDEEP

6144:7yXm01Y/Ak/HplW+mTodH3UicxA5YylWVkRV:uXm0C/x/JlW+Ic48sV4V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1728	0f3ace680f8970915f343bdc44bd8af0.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	0f3ace680f8970915f343bdc44bd8af0.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	0f3ace680f8970915f343bdc44bd8af0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1728	0f3ace680f8970915f343bdc44bd8af0.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1728	0f3ace680f8970915f343bdc44bd8af0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2488	0f3ace680f8970915f343bdc44bd8af0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2488	0f3ace680f8970915f343bdc44bd8af0.exe
1728	0f3ace680f8970915f343bdc44bd8af0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1728	2488	0f3ace680f8970915f343bdc44bd8af0.exe	16
PID 2488 wrote to memory of 1728	2488	0f3ace680f8970915f343bdc44bd8af0.exe	16
PID 2488 wrote to memory of 1728	2488	0f3ace680f8970915f343bdc44bd8af0.exe	16
PID 2488 wrote to memory of 1728	2488	0f3ace680f8970915f343bdc44bd8af0.exe	16
PID 1728 wrote to memory of 2572	1728	0f3ace680f8970915f343bdc44bd8af0.exe	15
PID 1728 wrote to memory of 2572	1728	0f3ace680f8970915f343bdc44bd8af0.exe	15
PID 1728 wrote to memory of 2572	1728	0f3ace680f8970915f343bdc44bd8af0.exe	15
PID 1728 wrote to memory of 2572	1728	0f3ace680f8970915f343bdc44bd8af0.exe	15

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2572

C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe
C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe
"C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe

Filesize
20KB

MD5
89c34e7f1d75e8d8e350da64a06feea5

SHA1
8676b6244fe43f12e813edb8694ae3e5140387b3

SHA256
01d9adba9cdd33ac0295bc7b13d178a6538d125cfcc16145d309c0994f598ba0

SHA512
2e198479d7719127be70f89d14cb553b54450825e0194bc4f109172f6d28b8d8d178072c39f35ea3393e00ab6320073bf819b57a9c9bc04066da0daa7ec0e587

Download Submit
memory/1728-21-0x00000000002A0000-0x0000000000357000-memory.dmp

Filesize
732KB

Download
memory/1728-19-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1728-29-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/1728-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1728-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2488-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2488-3-0x0000000000330000-0x00000000003E7000-memory.dmp

Filesize
732KB

Download
memory/2488-17-0x0000000002D60000-0x0000000002E17000-memory.dmp

Filesize
732KB

Download
memory/2488-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2488-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download