Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 20:33
Static task
static1
Behavioral task
behavioral1
Sample
0343e10403bfb842d91e71c0a127502b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0343e10403bfb842d91e71c0a127502b.exe
Resource
win10v2004-20231222-en
General
-
Target
0343e10403bfb842d91e71c0a127502b.exe
-
Size
506KB
-
MD5
0343e10403bfb842d91e71c0a127502b
-
SHA1
3ac7c13e34904dd321c277285e4cc378f1415fa6
-
SHA256
41d03ffe08056e401416800e77e2b6345812937778d696f96fc3ea8e3e34dc0c
-
SHA512
346e3509d97d8a173b934a1791466fc036613c3493c3e308834aee6c908d691798e0c2eecc7fdb4cb835e78143e409197f5e60749a5869014d5c2636a7305d2d
-
SSDEEP
6144:k4R+mwRSejONTL6S/cRW1H5W89hRXDj7yIRbhiH33mpa6ZGoir7lIOsUvfwVUCQx:k0+7JjOq0XRbxvyISnQRDpapnw+
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 628 0343e10403bfb842d91e71c0a127502b.exe -
Executes dropped EXE 1 IoCs
pid Process 628 0343e10403bfb842d91e71c0a127502b.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 628 0343e10403bfb842d91e71c0a127502b.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4760 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 628 0343e10403bfb842d91e71c0a127502b.exe 628 0343e10403bfb842d91e71c0a127502b.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5008 0343e10403bfb842d91e71c0a127502b.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5008 0343e10403bfb842d91e71c0a127502b.exe 628 0343e10403bfb842d91e71c0a127502b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5008 wrote to memory of 628 5008 0343e10403bfb842d91e71c0a127502b.exe 53 PID 5008 wrote to memory of 628 5008 0343e10403bfb842d91e71c0a127502b.exe 53 PID 5008 wrote to memory of 628 5008 0343e10403bfb842d91e71c0a127502b.exe 53 PID 628 wrote to memory of 4760 628 0343e10403bfb842d91e71c0a127502b.exe 69 PID 628 wrote to memory of 4760 628 0343e10403bfb842d91e71c0a127502b.exe 69 PID 628 wrote to memory of 4760 628 0343e10403bfb842d91e71c0a127502b.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\0343e10403bfb842d91e71c0a127502b.exe"C:\Users\Admin\AppData\Local\Temp\0343e10403bfb842d91e71c0a127502b.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\0343e10403bfb842d91e71c0a127502b.exeC:\Users\Admin\AppData\Local\Temp\0343e10403bfb842d91e71c0a127502b.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0343e10403bfb842d91e71c0a127502b.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:4760
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD54b561bb421842a7ddbaad2bd1c0ed62a
SHA1a98e8d272ad2e12f6b7c9f4172673d9ccb06bceb
SHA256023547f4afc49182984a1f95d7cc71b5adcfee6bb4a48e5029bfc542cf224235
SHA512e42141f0eb38760ee493d450e5b379c152f34141c6c8ecbb760003174683b8c394b86a48f2e055b8356d75b60586e12d7e200f60c46374ea71fcdded685c6476