8485a8bd572d2a7e2e888411d642a332abce1b75db8f555e20349157f93adb51

Analysis

max time kernel
145s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fff2038ddd48206049e4bd13f2a7569.exe
Size

1000KB
MD5

0fff2038ddd48206049e4bd13f2a7569
SHA1

9a4ff02db97fad2ee008e784a57fbfdac98bfe48
SHA256

8485a8bd572d2a7e2e888411d642a332abce1b75db8f555e20349157f93adb51
SHA512

1743327aa8fc28e3837edddc799da61535f8d8a95cd330f93883d44a4945cc05d5f86447bf01955c41681265933def2b92551cbd7ac65652169f7b7205128790
SSDEEP

24576:q6scd4/3Vc5YXLS5D7XmjfQ1B+5vMiqt0gj2ed:mcmfm5Y76D7pqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5012	0fff2038ddd48206049e4bd13f2a7569.exe

Executes dropped EXE 1 IoCs

pid	Process
5012	0fff2038ddd48206049e4bd13f2a7569.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5012	0fff2038ddd48206049e4bd13f2a7569.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	0fff2038ddd48206049e4bd13f2a7569.exe
5012	0fff2038ddd48206049e4bd13f2a7569.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4112	0fff2038ddd48206049e4bd13f2a7569.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4112	0fff2038ddd48206049e4bd13f2a7569.exe
5012	0fff2038ddd48206049e4bd13f2a7569.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 5012	4112	0fff2038ddd48206049e4bd13f2a7569.exe	23
PID 4112 wrote to memory of 5012	4112	0fff2038ddd48206049e4bd13f2a7569.exe	23
PID 4112 wrote to memory of 5012	4112	0fff2038ddd48206049e4bd13f2a7569.exe	23
PID 5012 wrote to memory of 2524	5012	0fff2038ddd48206049e4bd13f2a7569.exe	21
PID 5012 wrote to memory of 2524	5012	0fff2038ddd48206049e4bd13f2a7569.exe	21
PID 5012 wrote to memory of 2524	5012	0fff2038ddd48206049e4bd13f2a7569.exe	21

C:\Users\Admin\AppData\Local\Temp\0fff2038ddd48206049e4bd13f2a7569.exe
"C:\Users\Admin\AppData\Local\Temp\0fff2038ddd48206049e4bd13f2a7569.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\0fff2038ddd48206049e4bd13f2a7569.exe
  C:\Users\Admin\AppData\Local\Temp\0fff2038ddd48206049e4bd13f2a7569.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:5012

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0fff2038ddd48206049e4bd13f2a7569.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4112-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4112-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4112-1-0x0000000001650000-0x00000000016D3000-memory.dmp

Filesize
524KB

Download
memory/4112-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5012-16-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/5012-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5012-20-0x00000000016A0000-0x000000000171E000-memory.dmp

Filesize
504KB

Download
memory/5012-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5012-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download