60b5ed542d573723ef3191aa2f157eef1a031d2a53e2609bc6d96e99dcd14f32

Analysis

max time kernel
21s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a3a9b54a5895aeaa117252ae2a3df21.exe
Size

506KB
MD5

4a3a9b54a5895aeaa117252ae2a3df21
SHA1

5dd8146f333be7c65c8cc2fb2dbcc4a802f52dea
SHA256

60b5ed542d573723ef3191aa2f157eef1a031d2a53e2609bc6d96e99dcd14f32
SHA512

2bcc89341d85cd1f9626d108509253fbc5622979c538a58b45370311ad45da475c8009d1e042860be7895bcb6c6aa4ab2c066b000254adae6ba1eb2914821405
SSDEEP

6144:XsB43ExsIxAEe9wY+z2l865hJ7VqQk7aNZVKSX4ugE87/WEvgocuPT1+gcaaOE62:XVGYd+/65UQBZet7/Tvgoyd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2912	4a3a9b54a5895aeaa117252ae2a3df21.exe

Executes dropped EXE 1 IoCs

pid	Process
2912	4a3a9b54a5895aeaa117252ae2a3df21.exe

Loads dropped DLL 1 IoCs

pid	Process
3060	4a3a9b54a5895aeaa117252ae2a3df21.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2912	4a3a9b54a5895aeaa117252ae2a3df21.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2912	4a3a9b54a5895aeaa117252ae2a3df21.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3060	4a3a9b54a5895aeaa117252ae2a3df21.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3060	4a3a9b54a5895aeaa117252ae2a3df21.exe
2912	4a3a9b54a5895aeaa117252ae2a3df21.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2912	3060	4a3a9b54a5895aeaa117252ae2a3df21.exe	18
PID 3060 wrote to memory of 2912	3060	4a3a9b54a5895aeaa117252ae2a3df21.exe	18
PID 3060 wrote to memory of 2912	3060	4a3a9b54a5895aeaa117252ae2a3df21.exe	18
PID 3060 wrote to memory of 2912	3060	4a3a9b54a5895aeaa117252ae2a3df21.exe	18
PID 2912 wrote to memory of 2672	2912	4a3a9b54a5895aeaa117252ae2a3df21.exe	16
PID 2912 wrote to memory of 2672	2912	4a3a9b54a5895aeaa117252ae2a3df21.exe	16
PID 2912 wrote to memory of 2672	2912	4a3a9b54a5895aeaa117252ae2a3df21.exe	16
PID 2912 wrote to memory of 2672	2912	4a3a9b54a5895aeaa117252ae2a3df21.exe	16

C:\Users\Admin\AppData\Local\Temp\4a3a9b54a5895aeaa117252ae2a3df21.exe
"C:\Users\Admin\AppData\Local\Temp\4a3a9b54a5895aeaa117252ae2a3df21.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\4a3a9b54a5895aeaa117252ae2a3df21.exe
  C:\Users\Admin\AppData\Local\Temp\4a3a9b54a5895aeaa117252ae2a3df21.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2912

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\4a3a9b54a5895aeaa117252ae2a3df21.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2912-19-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2912-29-0x0000000002D90000-0x0000000002E0E000-memory.dmp

Filesize
504KB

Download
memory/2912-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2912-21-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/2912-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3060-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3060-2-0x0000000000250000-0x00000000002D3000-memory.dmp

Filesize
524KB

Download
memory/3060-17-0x00000000002E0000-0x0000000000363000-memory.dmp

Filesize
524KB

Download
memory/3060-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3060-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download