Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 07:35
Static task
static1
Behavioral task
behavioral1
Sample
0f3ace680f8970915f343bdc44bd8af0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0f3ace680f8970915f343bdc44bd8af0.exe
Resource
win10v2004-20231215-en
General
-
Target
0f3ace680f8970915f343bdc44bd8af0.exe
-
Size
242KB
-
MD5
0f3ace680f8970915f343bdc44bd8af0
-
SHA1
f86e80140e9e0c99c4c5f616c434f86ef4fc78a9
-
SHA256
e9521682d9b447132a5e84aa75b84742438a3f65d592b3b5bd5cfea9b834370d
-
SHA512
235d0eda2d22a8336b4d627d5901f7fe2962989986a3c7386fe40a473214c76424e83e9d9880d6e10c8bb534cc11dce5643a40e9a984b22ac6abf6280565dabc
-
SSDEEP
6144:7yXm01Y/Ak/HplW+mTodH3UicxA5YylWVkRV:uXm0C/x/JlW+Ic48sV4V
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1728 0f3ace680f8970915f343bdc44bd8af0.exe -
Executes dropped EXE 1 IoCs
pid Process 1728 0f3ace680f8970915f343bdc44bd8af0.exe -
Loads dropped DLL 1 IoCs
pid Process 2488 0f3ace680f8970915f343bdc44bd8af0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1728 0f3ace680f8970915f343bdc44bd8af0.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1728 0f3ace680f8970915f343bdc44bd8af0.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2488 0f3ace680f8970915f343bdc44bd8af0.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2488 0f3ace680f8970915f343bdc44bd8af0.exe 1728 0f3ace680f8970915f343bdc44bd8af0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2488 wrote to memory of 1728 2488 0f3ace680f8970915f343bdc44bd8af0.exe 16 PID 2488 wrote to memory of 1728 2488 0f3ace680f8970915f343bdc44bd8af0.exe 16 PID 2488 wrote to memory of 1728 2488 0f3ace680f8970915f343bdc44bd8af0.exe 16 PID 2488 wrote to memory of 1728 2488 0f3ace680f8970915f343bdc44bd8af0.exe 16 PID 1728 wrote to memory of 2572 1728 0f3ace680f8970915f343bdc44bd8af0.exe 15 PID 1728 wrote to memory of 2572 1728 0f3ace680f8970915f343bdc44bd8af0.exe 15 PID 1728 wrote to memory of 2572 1728 0f3ace680f8970915f343bdc44bd8af0.exe 15 PID 1728 wrote to memory of 2572 1728 0f3ace680f8970915f343bdc44bd8af0.exe 15
Processes
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe" /TN Google_Trk_Updater /F1⤵
- Creates scheduled task(s)
PID:2572
-
C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exeC:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1728
-
C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe"C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD589c34e7f1d75e8d8e350da64a06feea5
SHA18676b6244fe43f12e813edb8694ae3e5140387b3
SHA25601d9adba9cdd33ac0295bc7b13d178a6538d125cfcc16145d309c0994f598ba0
SHA5122e198479d7719127be70f89d14cb553b54450825e0194bc4f109172f6d28b8d8d178072c39f35ea3393e00ab6320073bf819b57a9c9bc04066da0daa7ec0e587