b0359d70616a189371e54a169398521c0114c73e797ef0ae849becae1014cbb7

General

Target

678923982bc7d83f53fdf068b43b77e4.exe
Size

241KB
MD5

678923982bc7d83f53fdf068b43b77e4
SHA1

ed9e274db40ec0b883e9e81f83c29a51d2efd5bb
SHA256

b0359d70616a189371e54a169398521c0114c73e797ef0ae849becae1014cbb7
SHA512

b0ec90342c3aab0ec1071ad99442c02fc5442ed3a7d2b2637fe8b439a325d18e42d778205f795f1ff926203e333efd1bcb4cabeefe18109fe8e62a5c48980cda
SSDEEP

6144:tmU5DJi8BnA/dizLz5O7YLm4nrhk9CrwuMXjXYDEU:tm8NV+/gQ+xFk9Cr6TYr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1820	678923982bc7d83f53fdf068b43b77e4.exe

Executes dropped EXE 1 IoCs

pid	Process
1820	678923982bc7d83f53fdf068b43b77e4.exe

Loads dropped DLL 1 IoCs

pid	Process
3056	678923982bc7d83f53fdf068b43b77e4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1820	678923982bc7d83f53fdf068b43b77e4.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1820	678923982bc7d83f53fdf068b43b77e4.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3056	678923982bc7d83f53fdf068b43b77e4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3056	678923982bc7d83f53fdf068b43b77e4.exe
1820	678923982bc7d83f53fdf068b43b77e4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 1820	3056	678923982bc7d83f53fdf068b43b77e4.exe	17
PID 3056 wrote to memory of 1820	3056	678923982bc7d83f53fdf068b43b77e4.exe	17
PID 3056 wrote to memory of 1820	3056	678923982bc7d83f53fdf068b43b77e4.exe	17
PID 3056 wrote to memory of 1820	3056	678923982bc7d83f53fdf068b43b77e4.exe	17
PID 1820 wrote to memory of 2696	1820	678923982bc7d83f53fdf068b43b77e4.exe	29
PID 1820 wrote to memory of 2696	1820	678923982bc7d83f53fdf068b43b77e4.exe	29
PID 1820 wrote to memory of 2696	1820	678923982bc7d83f53fdf068b43b77e4.exe	29
PID 1820 wrote to memory of 2696	1820	678923982bc7d83f53fdf068b43b77e4.exe	29

C:\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exe
"C:\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exe
  C:\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exe

Filesize
50KB

MD5
aea717bf26cb3dc72b24ee1888d81e40

SHA1
701ab5b13a7547c7871cde4be47beecf2a3a4668

SHA256
e09d38cac9ba051e7b5d1fb47c82b63a57d21396889bbab738c7c9d59daf4459

SHA512
cf33316709cfa21e0a756f3bedd597bd26e8b221f1d4798ab9cfa8fb5d0db97279c92d88e8096378a9a313a5cebd6a8e4077eed6d093a16c1ad0e2fb1c4a9cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1161.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar11A2.tmp

Filesize
42KB

MD5
0852e9c7899d4ffcccfec24014eb82ea

SHA1
c0f7c4d0264c71c40cd0202bffc29c71e5ae8088

SHA256
a6a0c5aaf49731342a8fcc643e3d94f5a015753a79de0d8f2a0c467756c8eff1

SHA512
3f576e2a4a7788b4cacc30ac67148aaf5ad3c82be77083089ce25ae8dbba74b7584f7a3df5cb68c85e3d95f5285223b08c98e661085d347750277062e92c5d95

Download Submit
\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exe

Filesize
54KB

MD5
3614d3269207fef826ca4156ae1b6f30

SHA1
8a95066f5c179497ea0807e96568a64b12e706bf

SHA256
1402b9b9d29095775b8ec703323dd160f010d755cc0623c90c162db2286607e2

SHA512
292e56e82aee4178f1d616c725df8eadc3630c563382b02cd91cda4a96f8650fb79504d6932297b654b3b1377a40231ddc85a587591419e2bf7b53395cdc63c8

Download Submit
memory/1820-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1820-27-0x0000000002D00000-0x0000000002D66000-memory.dmp

Filesize
408KB

Download
memory/1820-18-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download
memory/1820-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3056-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3056-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3056-11-0x0000000001580000-0x0000000001637000-memory.dmp

Filesize
732KB

Download
memory/3056-1-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3056-2-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads