3b46860e7ffdcc531af1dd81752cce9ae5f410fa1d9b6d1ac3409801c9d8d9c4

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffecb4999889f9dff3f3ca807aa462ac.exe
Size

1000KB
MD5

ffecb4999889f9dff3f3ca807aa462ac
SHA1

1405ccffb6a9cdfab47b9e8ef7cea6025304a058
SHA256

3b46860e7ffdcc531af1dd81752cce9ae5f410fa1d9b6d1ac3409801c9d8d9c4
SHA512

0c0371aa5be01301f8b7c1a9490813ed5f5e16c6f6e489666dcd8acb98eb64968f1ec018f779a2b85f36ba504f7d79e6cf376e115be59da00dfedcb45bc725eb
SSDEEP

24576:sNp5IbLWzXcsQPCtKP/VN1B+5vMiqt0gj2ed:sNYPvlPlPNhqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2216	ffecb4999889f9dff3f3ca807aa462ac.exe

Executes dropped EXE 1 IoCs

pid	Process
2216	ffecb4999889f9dff3f3ca807aa462ac.exe

Loads dropped DLL 1 IoCs

pid	Process
2360	ffecb4999889f9dff3f3ca807aa462ac.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2216	ffecb4999889f9dff3f3ca807aa462ac.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	ffecb4999889f9dff3f3ca807aa462ac.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2360	ffecb4999889f9dff3f3ca807aa462ac.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2360	ffecb4999889f9dff3f3ca807aa462ac.exe
2216	ffecb4999889f9dff3f3ca807aa462ac.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2216	2360	ffecb4999889f9dff3f3ca807aa462ac.exe	28
PID 2360 wrote to memory of 2216	2360	ffecb4999889f9dff3f3ca807aa462ac.exe	28
PID 2360 wrote to memory of 2216	2360	ffecb4999889f9dff3f3ca807aa462ac.exe	28
PID 2360 wrote to memory of 2216	2360	ffecb4999889f9dff3f3ca807aa462ac.exe	28
PID 2216 wrote to memory of 3048	2216	ffecb4999889f9dff3f3ca807aa462ac.exe	30
PID 2216 wrote to memory of 3048	2216	ffecb4999889f9dff3f3ca807aa462ac.exe	30
PID 2216 wrote to memory of 3048	2216	ffecb4999889f9dff3f3ca807aa462ac.exe	30
PID 2216 wrote to memory of 3048	2216	ffecb4999889f9dff3f3ca807aa462ac.exe	30

C:\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exe
"C:\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exe
  C:\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exe

Filesize
574KB

MD5
cc446eaaa95e4457c563e82db62215e1

SHA1
0639ff8759e9ca5ccd4326bea8add6a24f1cdc5d

SHA256
07390166262357a8ba732e85da813a73376313092c2b46c2b55ffba0a4c53c16

SHA512
c32cb619c315cba5b09aaea24df2bf3c3e504675cbcaa3f9dc17283987c77e118e346c316dc781ec6210e99fe062ae315c4e15934a00c853c41bbe53419dd405

Download Submit
\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exe

Filesize
1000KB

MD5
71415f5cfdf200187635dd9c538191de

SHA1
ccfdff1b803e5f6976a6d0271ef63833dac707ef

SHA256
333f9c8bc10c686baac0f848dc372c42e3089aed0812150547b33c3955a87584

SHA512
0e017bb70318fea13120db5ea1f81c4cd3880b076db75b09b13b0c49a625f3938f189d4938f8b2f1e3dda5ef9e01a385868271f48b2d6146984820b09faad646

Download Submit
memory/2216-18-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/2216-29-0x0000000002E60000-0x0000000002EDE000-memory.dmp

Filesize
504KB

Download
memory/2216-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2216-21-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2216-67-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2360-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2360-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2360-2-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/2360-15-0x00000000002C0000-0x0000000000343000-memory.dmp

Filesize
524KB

Download
memory/2360-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download