2d7b8d87ee1b489066cfdcb1619d7ea77dd4d2599558ad9e65f98787f06e7ce1

General

Target

20a906b4b5c9b28b2a81e3baee02b291.exe
Size

241KB
MD5

20a906b4b5c9b28b2a81e3baee02b291
SHA1

3d7872c18d685a3e03c9d9a2991852b623e89192
SHA256

2d7b8d87ee1b489066cfdcb1619d7ea77dd4d2599558ad9e65f98787f06e7ce1
SHA512

574a0efc7f54bc1810ea5462d3f795507ac2b559b2969484c317b20e79de15fd760b96d75225f887899f579eff05a33d053a231c820313e0159a0bdfd5585a90
SSDEEP

6144:Fyq1x49ikJ4tZaAFGpwkg4SRlDErQEiH7QuW:Fy19lJ4tgsGOkIuJuW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2968	20a906b4b5c9b28b2a81e3baee02b291.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	20a906b4b5c9b28b2a81e3baee02b291.exe

Loads dropped DLL 1 IoCs

pid	Process
2512	20a906b4b5c9b28b2a81e3baee02b291.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2968	20a906b4b5c9b28b2a81e3baee02b291.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2968	20a906b4b5c9b28b2a81e3baee02b291.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2512	20a906b4b5c9b28b2a81e3baee02b291.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2512	20a906b4b5c9b28b2a81e3baee02b291.exe
2968	20a906b4b5c9b28b2a81e3baee02b291.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2968	2512	20a906b4b5c9b28b2a81e3baee02b291.exe	30
PID 2512 wrote to memory of 2968	2512	20a906b4b5c9b28b2a81e3baee02b291.exe	30
PID 2512 wrote to memory of 2968	2512	20a906b4b5c9b28b2a81e3baee02b291.exe	30
PID 2512 wrote to memory of 2968	2512	20a906b4b5c9b28b2a81e3baee02b291.exe	30
PID 2968 wrote to memory of 2888	2968	20a906b4b5c9b28b2a81e3baee02b291.exe	29
PID 2968 wrote to memory of 2888	2968	20a906b4b5c9b28b2a81e3baee02b291.exe	29
PID 2968 wrote to memory of 2888	2968	20a906b4b5c9b28b2a81e3baee02b291.exe	29
PID 2968 wrote to memory of 2888	2968	20a906b4b5c9b28b2a81e3baee02b291.exe	29

C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe
"C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe
  C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2968

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe

Filesize
241KB

MD5
903b1b18d275b030c7e3d6214001642f

SHA1
8fb61c04a74226142c4f7fcdfafc88581cb73c50

SHA256
f3a8f43d906f98c3d48963388d1cdcddec13e62bf87104ec2c6768f4dd71c0fe

SHA512
129b5fd551483faaae79cc67fc334a5364813366f1125b45ecdf8d0d62e999b6f0893e7374ec7b9fc6fa451ee0ed2cecdff499c709924cca9242571156e271f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3FA1.tmp

Filesize
45KB

MD5
dc38d629e51926a750b443772d7c8c65

SHA1
2868765523e76b2e6706f18ecb665f4631a00d00

SHA256
21a98ea45d4ca76fc03cd769b01345da379395b41295e1506644149d0a378883

SHA512
beb8198332e8771a0475a925a4b31a8a80df9a04dc889442d1a4e024b1b66709acc3e347d50af1868d5d0c351d489cd454fc2523f752ea9dec56b9a9d6048ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3FB4.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2512-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2512-2-0x0000000000330000-0x00000000003E7000-memory.dmp

Filesize
732KB

Download
memory/2512-1-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2512-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2968-18-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2968-28-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/2968-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2968-20-0x00000000002C0000-0x0000000000377000-memory.dmp

Filesize
732KB

Download
memory/2968-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads