41d03ffe08056e401416800e77e2b6345812937778d696f96fc3ea8e3e34dc0c

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0343e10403bfb842d91e71c0a127502b.exe
Size

506KB
MD5

0343e10403bfb842d91e71c0a127502b
SHA1

3ac7c13e34904dd321c277285e4cc378f1415fa6
SHA256

41d03ffe08056e401416800e77e2b6345812937778d696f96fc3ea8e3e34dc0c
SHA512

346e3509d97d8a173b934a1791466fc036613c3493c3e308834aee6c908d691798e0c2eecc7fdb4cb835e78143e409197f5e60749a5869014d5c2636a7305d2d
SSDEEP

6144:k4R+mwRSejONTL6S/cRW1H5W89hRXDj7yIRbhiH33mpa6ZGoir7lIOsUvfwVUCQx:k0+7JjOq0XRbxvyISnQRDpapnw+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
628	0343e10403bfb842d91e71c0a127502b.exe

Executes dropped EXE 1 IoCs

pid	Process
628	0343e10403bfb842d91e71c0a127502b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
628	0343e10403bfb842d91e71c0a127502b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
628	0343e10403bfb842d91e71c0a127502b.exe
628	0343e10403bfb842d91e71c0a127502b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5008	0343e10403bfb842d91e71c0a127502b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5008	0343e10403bfb842d91e71c0a127502b.exe
628	0343e10403bfb842d91e71c0a127502b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 628	5008	0343e10403bfb842d91e71c0a127502b.exe	53
PID 5008 wrote to memory of 628	5008	0343e10403bfb842d91e71c0a127502b.exe	53
PID 5008 wrote to memory of 628	5008	0343e10403bfb842d91e71c0a127502b.exe	53
PID 628 wrote to memory of 4760	628	0343e10403bfb842d91e71c0a127502b.exe	69
PID 628 wrote to memory of 4760	628	0343e10403bfb842d91e71c0a127502b.exe	69
PID 628 wrote to memory of 4760	628	0343e10403bfb842d91e71c0a127502b.exe	69

C:\Users\Admin\AppData\Local\Temp\0343e10403bfb842d91e71c0a127502b.exe
"C:\Users\Admin\AppData\Local\Temp\0343e10403bfb842d91e71c0a127502b.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\0343e10403bfb842d91e71c0a127502b.exe
  C:\Users\Admin\AppData\Local\Temp\0343e10403bfb842d91e71c0a127502b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0343e10403bfb842d91e71c0a127502b.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0343e10403bfb842d91e71c0a127502b.exe

Filesize
68KB

MD5
4b561bb421842a7ddbaad2bd1c0ed62a

SHA1
a98e8d272ad2e12f6b7c9f4172673d9ccb06bceb

SHA256
023547f4afc49182984a1f95d7cc71b5adcfee6bb4a48e5029bfc542cf224235

SHA512
e42141f0eb38760ee493d450e5b379c152f34141c6c8ecbb760003174683b8c394b86a48f2e055b8356d75b60586e12d7e200f60c46374ea71fcdded685c6476

Download Submit
memory/628-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/628-17-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/628-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/628-20-0x0000000004F00000-0x0000000004F7E000-memory.dmp

Filesize
504KB

Download
memory/628-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5008-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5008-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5008-1-0x0000000001670000-0x00000000016F3000-memory.dmp

Filesize
524KB

Download
memory/5008-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download