3738d77978fe4cb67330b550080a51483a29ac76a307dcd6f1020c76dd5c9b78

Analysis

max time kernel
141s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 04:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f07ab7978733df9b27803eed75f1702.exe
Size

506KB
MD5

0f07ab7978733df9b27803eed75f1702
SHA1

12cb38ad624d7e104beea9df17b442b95628e9f8
SHA256

3738d77978fe4cb67330b550080a51483a29ac76a307dcd6f1020c76dd5c9b78
SHA512

6161af3b22b110069dffba1ada04ccc128978e2797c9dbe6ea10f48384bab05aeb77f1743abc38bccbfc24bda0c3d81e82fc4f773d1d06e6fe7785bbf057e720
SSDEEP

6144:tEKsUKBG5PtKh98P6hmLs7scvbThGeWSjm2a/4W+ghVUmBsJfcTh:t98kqoko4vb1vWRR+gEmm2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5036	0f07ab7978733df9b27803eed75f1702.exe

Executes dropped EXE 1 IoCs

pid	Process
5036	0f07ab7978733df9b27803eed75f1702.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5036	0f07ab7978733df9b27803eed75f1702.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	0f07ab7978733df9b27803eed75f1702.exe
5036	0f07ab7978733df9b27803eed75f1702.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3964	0f07ab7978733df9b27803eed75f1702.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3964	0f07ab7978733df9b27803eed75f1702.exe
5036	0f07ab7978733df9b27803eed75f1702.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 5036	3964	0f07ab7978733df9b27803eed75f1702.exe	91
PID 3964 wrote to memory of 5036	3964	0f07ab7978733df9b27803eed75f1702.exe	91
PID 3964 wrote to memory of 5036	3964	0f07ab7978733df9b27803eed75f1702.exe	91
PID 5036 wrote to memory of 3228	5036	0f07ab7978733df9b27803eed75f1702.exe	92
PID 5036 wrote to memory of 3228	5036	0f07ab7978733df9b27803eed75f1702.exe	92
PID 5036 wrote to memory of 3228	5036	0f07ab7978733df9b27803eed75f1702.exe	92

C:\Users\Admin\AppData\Local\Temp\0f07ab7978733df9b27803eed75f1702.exe
"C:\Users\Admin\AppData\Local\Temp\0f07ab7978733df9b27803eed75f1702.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\0f07ab7978733df9b27803eed75f1702.exe
  C:\Users\Admin\AppData\Local\Temp\0f07ab7978733df9b27803eed75f1702.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0f07ab7978733df9b27803eed75f1702.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0f07ab7978733df9b27803eed75f1702.exe

Filesize
506KB

MD5
bdaa02ec0784e6c1ff758ef05d5ac153

SHA1
95e439266e4a1d520ea6250dd90b418dcc3779be

SHA256
7c04db38d08efe6d9278f7fe54d93c55f8e01d3b84e4edf0018e9852de7ca362

SHA512
9c58d40cd8f04871d28e3d9c5a0b7e0e2e929ae2e8ba3fe83495d2453cc9c7abba197cfb003be9d596755f8042d247153475a04516bb3aaeb3fae28257ff126b

Download Submit
memory/3964-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3964-1-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download
memory/3964-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3964-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5036-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5036-14-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/5036-20-0x0000000004F10000-0x0000000004F8E000-memory.dmp

Filesize
504KB

Download
memory/5036-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5036-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download