dc7fdfb3726564bed37fe9466a59bb9201146209f21c739e145dd43ef0d3d9b6

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66bd0e30fb16954e1a831e826af9cc60.exe
Size

1000KB
MD5

66bd0e30fb16954e1a831e826af9cc60
SHA1

bcdb794db8bc44efc6f89e027a32478b11584edd
SHA256

dc7fdfb3726564bed37fe9466a59bb9201146209f21c739e145dd43ef0d3d9b6
SHA512

f7cafd0fac4126cce6431bb70a48b068ce2d1f780b75ab20bf40668b2f09e9050a14b79c24244256728beaf8e284c1b10e118c84b3d692b8ca0bc1cb86efe84a
SSDEEP

24576:sksp1tF6E1+EHzczk0/h4k4fvLjKV1B+5vMiqt0gj2ed:jspNnTh0iLjKZqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2252	66bd0e30fb16954e1a831e826af9cc60.exe

Executes dropped EXE 1 IoCs

pid	Process
2252	66bd0e30fb16954e1a831e826af9cc60.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2252	66bd0e30fb16954e1a831e826af9cc60.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2252	66bd0e30fb16954e1a831e826af9cc60.exe
2252	66bd0e30fb16954e1a831e826af9cc60.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2188	66bd0e30fb16954e1a831e826af9cc60.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2188	66bd0e30fb16954e1a831e826af9cc60.exe
2252	66bd0e30fb16954e1a831e826af9cc60.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2252	2188	66bd0e30fb16954e1a831e826af9cc60.exe	16
PID 2188 wrote to memory of 2252	2188	66bd0e30fb16954e1a831e826af9cc60.exe	16
PID 2188 wrote to memory of 2252	2188	66bd0e30fb16954e1a831e826af9cc60.exe	16
PID 2252 wrote to memory of 2544	2252	66bd0e30fb16954e1a831e826af9cc60.exe	43
PID 2252 wrote to memory of 2544	2252	66bd0e30fb16954e1a831e826af9cc60.exe	43
PID 2252 wrote to memory of 2544	2252	66bd0e30fb16954e1a831e826af9cc60.exe	43

C:\Users\Admin\AppData\Local\Temp\66bd0e30fb16954e1a831e826af9cc60.exe
"C:\Users\Admin\AppData\Local\Temp\66bd0e30fb16954e1a831e826af9cc60.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\66bd0e30fb16954e1a831e826af9cc60.exe
  C:\Users\Admin\AppData\Local\Temp\66bd0e30fb16954e1a831e826af9cc60.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\66bd0e30fb16954e1a831e826af9cc60.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66bd0e30fb16954e1a831e826af9cc60.exe

Filesize
92KB

MD5
cfa684bf56583a3b8fc98d2e26728907

SHA1
0fde214178b4b337e1fae09e7a68eb9006cfc0ac

SHA256
584b2f701747f21a6d5f35c71568ed039393766acede48c65a46383791e1fb9f

SHA512
f8f0540f98d12e4f391b70da71ec3644a40c1a2cd9fe52b7d1136ee63984d928eb4779e91950975baf9b62a2007a6fb7dfda3c2b155a4ce64e8eb4841b734b50

Download Submit
memory/2188-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2188-1-0x0000000000160000-0x00000000001E3000-memory.dmp

Filesize
524KB

Download
memory/2188-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2188-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2252-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2252-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2252-20-0x0000000004FA0000-0x000000000501E000-memory.dmp

Filesize
504KB

Download
memory/2252-16-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2252-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download