336ced57b3132354bfef8ae6e89afce3bc7e1002746a3cafb6868a137c9be055

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 14:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

254a747038581fa497d23f1b6dcb3752.exe
Size

483KB
MD5

254a747038581fa497d23f1b6dcb3752
SHA1

1acd9b1cd2e287e873f5cf72039aa584716ed879
SHA256

336ced57b3132354bfef8ae6e89afce3bc7e1002746a3cafb6868a137c9be055
SHA512

1573683d3dc05ef22c30ec3f6e96f8bcf32b2d84725ada97593aee24fabc9e800c88ce3cece922d7c3580b82f2fe2087993da316855698f94f6f955ab6690b6b
SSDEEP

12288:O8NQd/Dg48uex9IY+4F4eUXI6K5liy43PGeEAe4Be:khRnexWDX0riZ+eEOBe

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
932	254a747038581fa497d23f1b6dcb3752.exe

Executes dropped EXE 1 IoCs

pid	Process
932	254a747038581fa497d23f1b6dcb3752.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
932	254a747038581fa497d23f1b6dcb3752.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
932	254a747038581fa497d23f1b6dcb3752.exe
932	254a747038581fa497d23f1b6dcb3752.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1772	254a747038581fa497d23f1b6dcb3752.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1772	254a747038581fa497d23f1b6dcb3752.exe
932	254a747038581fa497d23f1b6dcb3752.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 932	1772	254a747038581fa497d23f1b6dcb3752.exe	35
PID 1772 wrote to memory of 932	1772	254a747038581fa497d23f1b6dcb3752.exe	35
PID 1772 wrote to memory of 932	1772	254a747038581fa497d23f1b6dcb3752.exe	35
PID 932 wrote to memory of 1452	932	254a747038581fa497d23f1b6dcb3752.exe	80
PID 932 wrote to memory of 1452	932	254a747038581fa497d23f1b6dcb3752.exe	80
PID 932 wrote to memory of 1452	932	254a747038581fa497d23f1b6dcb3752.exe	80

C:\Users\Admin\AppData\Local\Temp\254a747038581fa497d23f1b6dcb3752.exe
"C:\Users\Admin\AppData\Local\Temp\254a747038581fa497d23f1b6dcb3752.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\254a747038581fa497d23f1b6dcb3752.exe
  C:\Users\Admin\AppData\Local\Temp\254a747038581fa497d23f1b6dcb3752.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\254a747038581fa497d23f1b6dcb3752.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\254a747038581fa497d23f1b6dcb3752.exe

Filesize
278KB

MD5
f9bfc47865cdc03e892762f819828f87

SHA1
73577090feb808eaa06103304ca9859d08568aad

SHA256
a0a664a9a21a13390c949bdfa9e2d73d4c542d0fa86f1f5f68e6e004279bdf8c

SHA512
d1cf1cd8e846067fb6a4672126c93ad01b4c831f6f7c5844b328936ea6c7164a27e426296d6c1bea5c3c537c51f7c33296159eb39209fb2c9a5b83994d8420ef

Download Submit
memory/932-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/932-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/932-15-0x0000000001530000-0x00000000015E7000-memory.dmp

Filesize
732KB

Download
memory/932-20-0x0000000004F70000-0x0000000004FD6000-memory.dmp

Filesize
408KB

Download
memory/932-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1772-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1772-1-0x0000000001530000-0x00000000015E7000-memory.dmp

Filesize
732KB

Download
memory/1772-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1772-11-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download