2d7b8d87ee1b489066cfdcb1619d7ea77dd4d2599558ad9e65f98787f06e7ce1

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20a906b4b5c9b28b2a81e3baee02b291.exe
Size

241KB
MD5

20a906b4b5c9b28b2a81e3baee02b291
SHA1

3d7872c18d685a3e03c9d9a2991852b623e89192
SHA256

2d7b8d87ee1b489066cfdcb1619d7ea77dd4d2599558ad9e65f98787f06e7ce1
SHA512

574a0efc7f54bc1810ea5462d3f795507ac2b559b2969484c317b20e79de15fd760b96d75225f887899f579eff05a33d053a231c820313e0159a0bdfd5585a90
SSDEEP

6144:Fyq1x49ikJ4tZaAFGpwkg4SRlDErQEiH7QuW:Fy19lJ4tgsGOkIuJuW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4048	20a906b4b5c9b28b2a81e3baee02b291.exe

Executes dropped EXE 1 IoCs

pid	Process
4048	20a906b4b5c9b28b2a81e3baee02b291.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4048	20a906b4b5c9b28b2a81e3baee02b291.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4048	20a906b4b5c9b28b2a81e3baee02b291.exe
4048	20a906b4b5c9b28b2a81e3baee02b291.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4992	20a906b4b5c9b28b2a81e3baee02b291.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4992	20a906b4b5c9b28b2a81e3baee02b291.exe
4048	20a906b4b5c9b28b2a81e3baee02b291.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4048	4992	20a906b4b5c9b28b2a81e3baee02b291.exe	89
PID 4992 wrote to memory of 4048	4992	20a906b4b5c9b28b2a81e3baee02b291.exe	89
PID 4992 wrote to memory of 4048	4992	20a906b4b5c9b28b2a81e3baee02b291.exe	89
PID 4048 wrote to memory of 4012	4048	20a906b4b5c9b28b2a81e3baee02b291.exe	93
PID 4048 wrote to memory of 4012	4048	20a906b4b5c9b28b2a81e3baee02b291.exe	93
PID 4048 wrote to memory of 4012	4048	20a906b4b5c9b28b2a81e3baee02b291.exe	93

C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe
"C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe
  C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20a906b4b5c9b28b2a81e3baee02b291.exe

Filesize
192KB

MD5
7465777da96f7747e4699dc981962f78

SHA1
b1105ad173dfada56d38536d00755a6ff451561d

SHA256
3cb24a0bf3eb5ab9ff22dc633480de0332be23675770669e53b18d834af168fe

SHA512
e60b92ef462c60eb5657e3f107de84c1831c752cbff5aa37ea0f86f95b9c381984d9579d8d5d539ce6b79f24c8401b56ad585ea6c384c8e9815a294d6098fd8d

Download Submit
memory/4048-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4048-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4048-16-0x0000000001650000-0x0000000001707000-memory.dmp

Filesize
732KB

Download
memory/4048-21-0x0000000004F50000-0x0000000004FB6000-memory.dmp

Filesize
408KB

Download
memory/4048-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4992-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4992-1-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download
memory/4992-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4992-11-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download