63ed7ac0b8e00808ec929abb087f9f4b658d51f8e1912ecae3f52a7aa0f9802a

General

Target

fadf8aecb2a87ef721708ef591b74317.exe
Size

506KB
MD5

fadf8aecb2a87ef721708ef591b74317
SHA1

d23c8f7b57158f8894f9762c2fa847c08a0966d2
SHA256

63ed7ac0b8e00808ec929abb087f9f4b658d51f8e1912ecae3f52a7aa0f9802a
SHA512

96c34ac31aa2e7092cb72b73597cd28d3da00a8c2ac35177cc55adb58a36eab94b913b2bd4805b94dd1860911ec11d1e121dfa89fc3698deeedce7163e9a817d
SSDEEP

12288:MV9B8EjYzMrk0tO9zM3k5EV2RtYTiTLshIqcYkcbU:MVAXMrA98juvqHvbU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3044	fadf8aecb2a87ef721708ef591b74317.exe

Executes dropped EXE 1 IoCs

pid	Process
3044	fadf8aecb2a87ef721708ef591b74317.exe

Loads dropped DLL 1 IoCs

pid	Process
2928	fadf8aecb2a87ef721708ef591b74317.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3044	fadf8aecb2a87ef721708ef591b74317.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3044	fadf8aecb2a87ef721708ef591b74317.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2928	fadf8aecb2a87ef721708ef591b74317.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2928	fadf8aecb2a87ef721708ef591b74317.exe
3044	fadf8aecb2a87ef721708ef591b74317.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 3044	2928	fadf8aecb2a87ef721708ef591b74317.exe	14
PID 2928 wrote to memory of 3044	2928	fadf8aecb2a87ef721708ef591b74317.exe	14
PID 2928 wrote to memory of 3044	2928	fadf8aecb2a87ef721708ef591b74317.exe	14
PID 2928 wrote to memory of 3044	2928	fadf8aecb2a87ef721708ef591b74317.exe	14
PID 3044 wrote to memory of 2568	3044	fadf8aecb2a87ef721708ef591b74317.exe	30
PID 3044 wrote to memory of 2568	3044	fadf8aecb2a87ef721708ef591b74317.exe	30
PID 3044 wrote to memory of 2568	3044	fadf8aecb2a87ef721708ef591b74317.exe	30
PID 3044 wrote to memory of 2568	3044	fadf8aecb2a87ef721708ef591b74317.exe	30

C:\Users\Admin\AppData\Local\Temp\fadf8aecb2a87ef721708ef591b74317.exe
C:\Users\Admin\AppData\Local\Temp\fadf8aecb2a87ef721708ef591b74317.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\fadf8aecb2a87ef721708ef591b74317.exe" /TN Google_Trk_Updater /F
  2⤵
  - Creates scheduled task(s)
  PID:2568

C:\Users\Admin\AppData\Local\Temp\fadf8aecb2a87ef721708ef591b74317.exe
"C:\Users\Admin\AppData\Local\Temp\fadf8aecb2a87ef721708ef591b74317.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar47AF.tmp

Filesize
85KB

MD5
b4336c27a81019626050e233f1835df4

SHA1
cf7ecdc18c67841389711f678febca40f48d64a0

SHA256
74c2bc3b14e0d0c9d712c1a90630523eaddceb4c401848b8a2b0ef725c232998

SHA512
9f7c6952de25e40df3f9cda4fd7fcbd333e5a8066dc0c1b106b15c7ff5731a9129619ecd32fb44be4b620ce9eea4c7a8294c3402b7dbc405e190d1d57c01c79b

Download Submit
\Users\Admin\AppData\Local\Temp\fadf8aecb2a87ef721708ef591b74317.exe

Filesize
93KB

MD5
ccc7289d46f976c62fc357981b7dd635

SHA1
d6dfa8300b3f3528ffc14f84356354759d4f1cfb

SHA256
55f77a28938999771124278f074685ac54f27a352bd5127b6d420fc9116e1a05

SHA512
2a98c6fb3bc314dc54076f194fc71898aeef1ec8b064bb37ce76e397346a4fc9d94b53424187a7000c7a529ebb89c51e3785372223c0898c44b3bb5ebb4e125b

Download Submit
memory/2928-2-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/2928-15-0x0000000002E90000-0x0000000002F13000-memory.dmp

Filesize
524KB

Download
memory/2928-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2928-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2928-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3044-18-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download
memory/3044-21-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3044-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3044-29-0x0000000002DD0000-0x0000000002E4E000-memory.dmp

Filesize
504KB

Download
memory/3044-67-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads