f6089ec3d6b31e86317368f74a5a2eecbbf891f14abc36f5afeadc7799df8e6f

General

Target

5b0051cf46e77eb7d6a89c59bbbde40d.exe
Size

241KB
MD5

5b0051cf46e77eb7d6a89c59bbbde40d
SHA1

352c63a13f7d7156c76e2e1f82b33ebc4c221fec
SHA256

f6089ec3d6b31e86317368f74a5a2eecbbf891f14abc36f5afeadc7799df8e6f
SHA512

ed1357d758e2987d3b55100d825220697b903fc326ae068d914474c425b7a05896bdc6afa18bdb1623623fc81b3f493def1e368705a61f575b3f2ed936ee6559
SSDEEP

6144:7VPgkQAHIK3J8i54f2k8IUNqKduU5w5kQ3hIUqi0N3:JPZJjYH2e5zuUqiS3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2524	5b0051cf46e77eb7d6a89c59bbbde40d.exe

Executes dropped EXE 1 IoCs

pid	Process
2524	5b0051cf46e77eb7d6a89c59bbbde40d.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	5b0051cf46e77eb7d6a89c59bbbde40d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2524	5b0051cf46e77eb7d6a89c59bbbde40d.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2524	5b0051cf46e77eb7d6a89c59bbbde40d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1712	5b0051cf46e77eb7d6a89c59bbbde40d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1712	5b0051cf46e77eb7d6a89c59bbbde40d.exe
2524	5b0051cf46e77eb7d6a89c59bbbde40d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2524	1712	5b0051cf46e77eb7d6a89c59bbbde40d.exe	18
PID 1712 wrote to memory of 2524	1712	5b0051cf46e77eb7d6a89c59bbbde40d.exe	18
PID 1712 wrote to memory of 2524	1712	5b0051cf46e77eb7d6a89c59bbbde40d.exe	18
PID 1712 wrote to memory of 2524	1712	5b0051cf46e77eb7d6a89c59bbbde40d.exe	18
PID 2524 wrote to memory of 2148	2524	5b0051cf46e77eb7d6a89c59bbbde40d.exe	17
PID 2524 wrote to memory of 2148	2524	5b0051cf46e77eb7d6a89c59bbbde40d.exe	17
PID 2524 wrote to memory of 2148	2524	5b0051cf46e77eb7d6a89c59bbbde40d.exe	17
PID 2524 wrote to memory of 2148	2524	5b0051cf46e77eb7d6a89c59bbbde40d.exe	17

C:\Users\Admin\AppData\Local\Temp\5b0051cf46e77eb7d6a89c59bbbde40d.exe
"C:\Users\Admin\AppData\Local\Temp\5b0051cf46e77eb7d6a89c59bbbde40d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\5b0051cf46e77eb7d6a89c59bbbde40d.exe
  C:\Users\Admin\AppData\Local\Temp\5b0051cf46e77eb7d6a89c59bbbde40d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2524

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5b0051cf46e77eb7d6a89c59bbbde40d.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5b0051cf46e77eb7d6a89c59bbbde40d.exe

Filesize
241KB

MD5
739214aaf41fc33790eed56ff286af31

SHA1
b2e8e05987c58cc4e81c87753beef22906971b12

SHA256
4aac90f7c4b30147bcdf0b51f41427037330be930855ba77c48926e788e5cf5e

SHA512
cf7be2a30839a31aa1c9de3a1c3934b4d562e739510eb4151e5a2fbb685a2518d8e5f1caeaba51a012ea4500d43a2967c6c4fd1d879f68118e9a91cf7523707f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar38B2.tmp

Filesize
56KB

MD5
66971e43cdfaf7eb834817d8c76ac8d8

SHA1
f59cd3d70f37698936501da0be27a3d19b34215f

SHA256
81b49538ce9dc0348281b90a669334367e987860efed6c35543ca1e015da954c

SHA512
7760c9ce8762136525167a06800b6852a99c57032bc9491dc2b761608b9587d2769f5e1ecd0bbaddd4a304ed683fd2a3ec84c27d48521b50a994f90ae0cd7cff

Download Submit
\Users\Admin\AppData\Local\Temp\5b0051cf46e77eb7d6a89c59bbbde40d.exe

Filesize
110KB

MD5
133ac057ab25eedce1c6152ccf4ce1b6

SHA1
a4fcdfc5f344974b22be9e717674c8713643a557

SHA256
ae311b95620e5d59bf97ff884732e8c927a09478ba61ef3420285d5306412d6f

SHA512
4c51c7a0ec8098c39f9d0fa2c5a65bfa2f36da2e7bf86634d7591a011162d27a0e1028e883318685fc0de36cdc4b9b5db261fdfcc3755191164f3656bb87e0f3

Download Submit
memory/1712-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1712-2-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download
memory/1712-15-0x0000000002DF0000-0x0000000002EA7000-memory.dmp

Filesize
732KB

Download
memory/1712-1-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1712-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2524-29-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/2524-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2524-21-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2524-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2524-18-0x00000000002A0000-0x0000000000357000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads