78e3e353c2bec57df7fcb893e759e853a13bc53190bdc560cbbccb371937aec8

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cfc61c1ed000e0120ecfc5fc5e62eea.exe
Size

506KB
MD5

0cfc61c1ed000e0120ecfc5fc5e62eea
SHA1

e70e0e8ad71514e0edc2be6e5a28076c9cc5286e
SHA256

78e3e353c2bec57df7fcb893e759e853a13bc53190bdc560cbbccb371937aec8
SHA512

53613ea1a71ca22fc2f5f4de81b044b29db1c46901fe42f673cf84d10829dc103e451766afdf9942afa96a8f07c86f6a3e2b9ef7e7d02eacbedc25c6865e3446
SSDEEP

12288:sPkz9/h1wzcaVVjzR+afAzAyKE8LRR+j+vpoyC:1L1zS5zCcJEcfe4FC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2724	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2724	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2724	0cfc61c1ed000e0120ecfc5fc5e62eea.exe
2724	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4672	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4672	0cfc61c1ed000e0120ecfc5fc5e62eea.exe
2724	0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 2724	4672	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	58
PID 4672 wrote to memory of 2724	4672	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	58
PID 4672 wrote to memory of 2724	4672	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	58
PID 2724 wrote to memory of 3084	2724	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	85
PID 2724 wrote to memory of 3084	2724	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	85
PID 2724 wrote to memory of 3084	2724	0cfc61c1ed000e0120ecfc5fc5e62eea.exe	85

C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe
"C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe
  C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe

Filesize
111KB

MD5
5f6793a71773ff46cb7eed6fa2120ecf

SHA1
9ed7ffe1698f7ca532da1a324d0d7075e4081bb8

SHA256
c38bff49b325ed5d4893cbf02e103d75f81284e33b02b47142f547db07151c90

SHA512
fdfd638b4b4f2fac8170a5c86865aee15b66d031fdc664a0cbe3130f4ba24b4d7750574aa7e2ed7ce11c9266c63bb13ee0761877ff307c10bd31af6179e8111e

Download Submit
memory/2724-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2724-16-0x0000000001680000-0x0000000001703000-memory.dmp

Filesize
524KB

Download
memory/2724-20-0x0000000004F20000-0x0000000004F9E000-memory.dmp

Filesize
504KB

Download
memory/2724-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2724-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4672-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4672-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4672-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4672-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download