8bc3cf451e48897ff36f1b5d3d39b3ccb94087080899b7e6214976bac8bf9011

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69f949c7258cf160e3bbeb76a9b56ddf.exe
Size

1012KB
MD5

69f949c7258cf160e3bbeb76a9b56ddf
SHA1

5081e419aae8f7e55f9c7cf2b946bb85e69fb6d9
SHA256

8bc3cf451e48897ff36f1b5d3d39b3ccb94087080899b7e6214976bac8bf9011
SHA512

ec94f2c7b7d345353e0c49023c71d31bf80569af9c9c638b90367c6f624a83bcd11fc97ffdf0c99e368f36e0530b4dbff0c6fa6f3f49ccede2f9d88274a20f16
SSDEEP

24576:aa3Lf5FvtWD71WlMRlZ1B+5vMiqt0gj2eR:a+dFvsW+RjqO7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1668	69f949c7258cf160e3bbeb76a9b56ddf.exe

Executes dropped EXE 1 IoCs

pid	Process
1668	69f949c7258cf160e3bbeb76a9b56ddf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1668	69f949c7258cf160e3bbeb76a9b56ddf.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1668	69f949c7258cf160e3bbeb76a9b56ddf.exe
1668	69f949c7258cf160e3bbeb76a9b56ddf.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4784	69f949c7258cf160e3bbeb76a9b56ddf.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4784	69f949c7258cf160e3bbeb76a9b56ddf.exe
1668	69f949c7258cf160e3bbeb76a9b56ddf.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 1668	4784	69f949c7258cf160e3bbeb76a9b56ddf.exe	17
PID 4784 wrote to memory of 1668	4784	69f949c7258cf160e3bbeb76a9b56ddf.exe	17
PID 4784 wrote to memory of 1668	4784	69f949c7258cf160e3bbeb76a9b56ddf.exe	17
PID 1668 wrote to memory of 1604	1668	69f949c7258cf160e3bbeb76a9b56ddf.exe	22
PID 1668 wrote to memory of 1604	1668	69f949c7258cf160e3bbeb76a9b56ddf.exe	22
PID 1668 wrote to memory of 1604	1668	69f949c7258cf160e3bbeb76a9b56ddf.exe	22

C:\Users\Admin\AppData\Local\Temp\69f949c7258cf160e3bbeb76a9b56ddf.exe
"C:\Users\Admin\AppData\Local\Temp\69f949c7258cf160e3bbeb76a9b56ddf.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\69f949c7258cf160e3bbeb76a9b56ddf.exe
  C:\Users\Admin\AppData\Local\Temp\69f949c7258cf160e3bbeb76a9b56ddf.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\69f949c7258cf160e3bbeb76a9b56ddf.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-16-0x0000000001690000-0x0000000001713000-memory.dmp

Filesize
524KB

Download
memory/1668-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1668-25-0x0000000004F30000-0x0000000004FAE000-memory.dmp

Filesize
504KB

Download
memory/1668-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1668-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4784-1-0x0000000001680000-0x0000000001703000-memory.dmp

Filesize
524KB

Download
memory/4784-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4784-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4784-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download