a5c46f74af636b4e65c251e84f6c7bf399fbe385e8993092016814a4b53eba9f

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cb10ed7d41088c47d9e8d72565c8e3d.exe
Size

506KB
MD5

1cb10ed7d41088c47d9e8d72565c8e3d
SHA1

397fb817eeecbc8b68b30c52f411adcec4b0bb0f
SHA256

a5c46f74af636b4e65c251e84f6c7bf399fbe385e8993092016814a4b53eba9f
SHA512

33081c65f856a338ea556b066747bbf070943249ada034c925242591684a1db94a353f917adc5dbc9f0918abd542602d91208608cf847e0519c77b4dc929dec0
SSDEEP

6144:aS1Lf3idWXrFY5Omuj1DlrM3HEYuzG0LZu2fvmZVYvBNCEYyi3DaiWIdkm4aNth8:fE6sVuc3IBu6vWOBvYXB5Nth39dRgi2l

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4852	1cb10ed7d41088c47d9e8d72565c8e3d.exe

Executes dropped EXE 1 IoCs

pid	Process
4852	1cb10ed7d41088c47d9e8d72565c8e3d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4852	1cb10ed7d41088c47d9e8d72565c8e3d.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4852	1cb10ed7d41088c47d9e8d72565c8e3d.exe
4852	1cb10ed7d41088c47d9e8d72565c8e3d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2180	1cb10ed7d41088c47d9e8d72565c8e3d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2180	1cb10ed7d41088c47d9e8d72565c8e3d.exe
4852	1cb10ed7d41088c47d9e8d72565c8e3d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 4852	2180	1cb10ed7d41088c47d9e8d72565c8e3d.exe	20
PID 2180 wrote to memory of 4852	2180	1cb10ed7d41088c47d9e8d72565c8e3d.exe	20
PID 2180 wrote to memory of 4852	2180	1cb10ed7d41088c47d9e8d72565c8e3d.exe	20
PID 4852 wrote to memory of 4456	4852	1cb10ed7d41088c47d9e8d72565c8e3d.exe	19
PID 4852 wrote to memory of 4456	4852	1cb10ed7d41088c47d9e8d72565c8e3d.exe	19
PID 4852 wrote to memory of 4456	4852	1cb10ed7d41088c47d9e8d72565c8e3d.exe	19

C:\Users\Admin\AppData\Local\Temp\1cb10ed7d41088c47d9e8d72565c8e3d.exe
"C:\Users\Admin\AppData\Local\Temp\1cb10ed7d41088c47d9e8d72565c8e3d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\1cb10ed7d41088c47d9e8d72565c8e3d.exe
  C:\Users\Admin\AppData\Local\Temp\1cb10ed7d41088c47d9e8d72565c8e3d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4852

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1cb10ed7d41088c47d9e8d72565c8e3d.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2180-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2180-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2180-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4852-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4852-20-0x0000000004F80000-0x0000000004FFE000-memory.dmp

Filesize
504KB

Download
memory/4852-14-0x0000000000160000-0x00000000001E3000-memory.dmp

Filesize
524KB

Download
memory/4852-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4852-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download