1e32e1e5e824594eb7f28ae6619da98bc98a8aacac89e1239b53f08c8ebc47ea

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

064da46e7e57755a33c23ef634d20bed.exe
Size

1000KB
MD5

064da46e7e57755a33c23ef634d20bed
SHA1

69111a99f9a83a10f6f96fac1da0bb3774a83f0d
SHA256

1e32e1e5e824594eb7f28ae6619da98bc98a8aacac89e1239b53f08c8ebc47ea
SHA512

25e3b6999a52c0ca2cd9906337bad83115e646285c3048a69eacc06d98bb7b795f3e7466a952719c69d58accc5853a63c059551a8601719fffa1c814638c35a0
SSDEEP

12288:v18jINxeSqF/M6AkfFoI47UH4r5/D+ctvVYb4ECaBwQ2tb5JLrnylUPqt0gHDS7O:5zqFFAiLGt/C22r1B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4140	064da46e7e57755a33c23ef634d20bed.exe

Executes dropped EXE 1 IoCs

pid	Process
4140	064da46e7e57755a33c23ef634d20bed.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4140	064da46e7e57755a33c23ef634d20bed.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4140	064da46e7e57755a33c23ef634d20bed.exe
4140	064da46e7e57755a33c23ef634d20bed.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4808	064da46e7e57755a33c23ef634d20bed.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4808	064da46e7e57755a33c23ef634d20bed.exe
4140	064da46e7e57755a33c23ef634d20bed.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4140	4808	064da46e7e57755a33c23ef634d20bed.exe	27
PID 4808 wrote to memory of 4140	4808	064da46e7e57755a33c23ef634d20bed.exe	27
PID 4808 wrote to memory of 4140	4808	064da46e7e57755a33c23ef634d20bed.exe	27
PID 4140 wrote to memory of 1704	4140	064da46e7e57755a33c23ef634d20bed.exe	36
PID 4140 wrote to memory of 1704	4140	064da46e7e57755a33c23ef634d20bed.exe	36
PID 4140 wrote to memory of 1704	4140	064da46e7e57755a33c23ef634d20bed.exe	36

C:\Users\Admin\AppData\Local\Temp\064da46e7e57755a33c23ef634d20bed.exe
"C:\Users\Admin\AppData\Local\Temp\064da46e7e57755a33c23ef634d20bed.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\064da46e7e57755a33c23ef634d20bed.exe
  C:\Users\Admin\AppData\Local\Temp\064da46e7e57755a33c23ef634d20bed.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\064da46e7e57755a33c23ef634d20bed.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\064da46e7e57755a33c23ef634d20bed.exe

Filesize
494KB

MD5
1cde2d385a65ec42d9b65e47e8bd8b64

SHA1
7c9b77d3af962f4cc6fc8b3f6c5c3f48e059cd5d

SHA256
0133f8c0bd81d517e86511da5e2f1021701811d9749002d18477fad589e8b1bf

SHA512
c9531709f7a47d49e82318e30830229f83110695fea7b4f042f329b87e912dbf4c7e5069977bbb46fcfd4fb60048340d1e6509f402e00bfe29b85a00f307f34a

Download Submit
memory/4140-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4140-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4140-19-0x0000000004F90000-0x000000000500E000-memory.dmp

Filesize
504KB

Download
memory/4140-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4808-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4808-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4808-1-0x0000000001670000-0x00000000016F3000-memory.dmp

Filesize
524KB

Download
memory/4808-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download