2a1fbb6d1b49c004293ce823f9559e3712b1edec093efe04cf55857b3b4e242f

Analysis

max time kernel
167s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 01:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

09cd00d8191197b8775e4d5747283dca.exe
Size

1000KB
MD5

09cd00d8191197b8775e4d5747283dca
SHA1

ab0bad552171f869a341c3eea6b5927fa5daa7e8
SHA256

2a1fbb6d1b49c004293ce823f9559e3712b1edec093efe04cf55857b3b4e242f
SHA512

fa211769313cefbb28fa9d1df0bf792fc5f19f0bf9c5484057182872a10d5cca84bfacddd76e99b1355bad4f899da87e2ee946f034fd22ac82b07c6c6bf95059
SSDEEP

24576:QBD7XUwP3nH/96yPsONcMA1B+5vMiqt0gj2ed:QB3Xt3H/96yPs7MKqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4100	09cd00d8191197b8775e4d5747283dca.exe

Executes dropped EXE 1 IoCs

pid	Process
4100	09cd00d8191197b8775e4d5747283dca.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4100	09cd00d8191197b8775e4d5747283dca.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4100	09cd00d8191197b8775e4d5747283dca.exe
4100	09cd00d8191197b8775e4d5747283dca.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
936	09cd00d8191197b8775e4d5747283dca.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
936	09cd00d8191197b8775e4d5747283dca.exe
4100	09cd00d8191197b8775e4d5747283dca.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 4100	936	09cd00d8191197b8775e4d5747283dca.exe	95
PID 936 wrote to memory of 4100	936	09cd00d8191197b8775e4d5747283dca.exe	95
PID 936 wrote to memory of 4100	936	09cd00d8191197b8775e4d5747283dca.exe	95
PID 4100 wrote to memory of 3628	4100	09cd00d8191197b8775e4d5747283dca.exe	96
PID 4100 wrote to memory of 3628	4100	09cd00d8191197b8775e4d5747283dca.exe	96
PID 4100 wrote to memory of 3628	4100	09cd00d8191197b8775e4d5747283dca.exe	96

C:\Users\Admin\AppData\Local\Temp\09cd00d8191197b8775e4d5747283dca.exe
"C:\Users\Admin\AppData\Local\Temp\09cd00d8191197b8775e4d5747283dca.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\09cd00d8191197b8775e4d5747283dca.exe
  C:\Users\Admin\AppData\Local\Temp\09cd00d8191197b8775e4d5747283dca.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\09cd00d8191197b8775e4d5747283dca.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\09cd00d8191197b8775e4d5747283dca.exe

Filesize
1000KB

MD5
698d6234b3c8daacdf8ac2b220385495

SHA1
dd32369825a8cc3d2bb2b669e3b81e60e916eef9

SHA256
c6c97ccb5fc1ac1a74c4a470609665c2c1ef94f9c953826ee7ba6db38dce0bd6

SHA512
849332d3665242e18ae497cbdf21e33422aceb7042bdd2db6e07a4c533ea5ce96df6b9d0f8325ee329abe5906fd3046cf2377072d637fc9a96e1de018bc94363

Download Submit
memory/936-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/936-1-0x0000000001620000-0x00000000016A3000-memory.dmp

Filesize
524KB

Download
memory/936-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/936-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4100-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4100-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4100-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4100-20-0x0000000004F10000-0x0000000004F8E000-memory.dmp

Filesize
504KB

Download
memory/4100-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download