f892d3c06a37cf31a1eab580a3d1e69165ef5b581cde63bc05c5bf51d7ddd3ca

General

Target

4ec2628de1e4b9008f9c8b764ba16b2e.exe
Size

1000KB
MD5

4ec2628de1e4b9008f9c8b764ba16b2e
SHA1

e522b26e9251aa8110c62ca4506a1d5318694ad8
SHA256

f892d3c06a37cf31a1eab580a3d1e69165ef5b581cde63bc05c5bf51d7ddd3ca
SHA512

787854259f1da0a05da85572372c703b358bbbf76b958f2b7f6755094cc69205d4bb680566dd829eac9d89034610df5ce74a20c224b634025988529f6c3bcc6f
SSDEEP

24576:qDr1KbT2K1lCh8kSOCJgE+U021B+5vMiqt0gj2ed:q/1Fh1/CWE60qOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2080	4ec2628de1e4b9008f9c8b764ba16b2e.exe

Executes dropped EXE 1 IoCs

pid	Process
2080	4ec2628de1e4b9008f9c8b764ba16b2e.exe

Loads dropped DLL 1 IoCs

pid	Process
3052	4ec2628de1e4b9008f9c8b764ba16b2e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2080	4ec2628de1e4b9008f9c8b764ba16b2e.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2080	4ec2628de1e4b9008f9c8b764ba16b2e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3052	4ec2628de1e4b9008f9c8b764ba16b2e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3052	4ec2628de1e4b9008f9c8b764ba16b2e.exe
2080	4ec2628de1e4b9008f9c8b764ba16b2e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2080	3052	4ec2628de1e4b9008f9c8b764ba16b2e.exe	17
PID 3052 wrote to memory of 2080	3052	4ec2628de1e4b9008f9c8b764ba16b2e.exe	17
PID 3052 wrote to memory of 2080	3052	4ec2628de1e4b9008f9c8b764ba16b2e.exe	17
PID 3052 wrote to memory of 2080	3052	4ec2628de1e4b9008f9c8b764ba16b2e.exe	17
PID 2080 wrote to memory of 2832	2080	4ec2628de1e4b9008f9c8b764ba16b2e.exe	19
PID 2080 wrote to memory of 2832	2080	4ec2628de1e4b9008f9c8b764ba16b2e.exe	19
PID 2080 wrote to memory of 2832	2080	4ec2628de1e4b9008f9c8b764ba16b2e.exe	19
PID 2080 wrote to memory of 2832	2080	4ec2628de1e4b9008f9c8b764ba16b2e.exe	19

C:\Users\Admin\AppData\Local\Temp\4ec2628de1e4b9008f9c8b764ba16b2e.exe
"C:\Users\Admin\AppData\Local\Temp\4ec2628de1e4b9008f9c8b764ba16b2e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\4ec2628de1e4b9008f9c8b764ba16b2e.exe
  C:\Users\Admin\AppData\Local\Temp\4ec2628de1e4b9008f9c8b764ba16b2e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\4ec2628de1e4b9008f9c8b764ba16b2e.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ec2628de1e4b9008f9c8b764ba16b2e.exe

Filesize
42KB

MD5
2b098faba2df6b84f2031f4e777b7266

SHA1
363a20a6c1a380429963417a64e3d63cce4a118d

SHA256
8bcb76f62a1dc4a859a25339cf6c7307b36fdda6768bc6977dc84f9f93ab818c

SHA512
98a32298acfb4f654172f9e186cbdce702d43bf9625e5315fa93ad8333f494e625cbf50fb8a4efac490b6a5af7e04aa329b020d725d04736d5444b0002ca6ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3111.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3123.tmp

Filesize
33KB

MD5
ccf134ca64db203c6305448a70074af8

SHA1
283ba7098e385e6d62b2920616767fdcba951da0

SHA256
052756a3dd4b1ddbcd4bb33ff93ca8d121cfc323ccdc8b23fe8518f6569c6cff

SHA512
9f52e072b42900ba360627f6e19f1ebb8ac7eb06af98c973d5a9a2d63d46373745e07850c2343cdc47e4b3552b3a2edbff3528a32f0c8f70cba2fb5efa69b6a6

Download Submit
\Users\Admin\AppData\Local\Temp\4ec2628de1e4b9008f9c8b764ba16b2e.exe

Filesize
24KB

MD5
7de892a67c0ee452bab6ee60b496a685

SHA1
fc318bd6acf80bf54b88a31929531fb724963c5e

SHA256
729d837471c904d2385fe4ad8c04ac8c2bb36e27d0341c1f79998ac3cfcc7f08

SHA512
85bf8d958d5ba5d81af4d1b12568a7dd4949668eef8d9eb8e232f90949f7429f10cbf549da371c9452bb4ceda8602253f7f5ccb72227026a30c7dd0c2c43c5dc

Download Submit
memory/2080-20-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2080-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2080-29-0x00000000014F0000-0x000000000156E000-memory.dmp

Filesize
504KB

Download
memory/2080-21-0x0000000000250000-0x00000000002D3000-memory.dmp

Filesize
524KB

Download
memory/2080-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3052-17-0x0000000001520000-0x00000000015A3000-memory.dmp

Filesize
524KB

Download
memory/3052-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3052-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3052-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3052-2-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads