e9521682d9b447132a5e84aa75b84742438a3f65d592b3b5bd5cfea9b834370d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f3ace680f8970915f343bdc44bd8af0.exe
Size

242KB
MD5

0f3ace680f8970915f343bdc44bd8af0
SHA1

f86e80140e9e0c99c4c5f616c434f86ef4fc78a9
SHA256

e9521682d9b447132a5e84aa75b84742438a3f65d592b3b5bd5cfea9b834370d
SHA512

235d0eda2d22a8336b4d627d5901f7fe2962989986a3c7386fe40a473214c76424e83e9d9880d6e10c8bb534cc11dce5643a40e9a984b22ac6abf6280565dabc
SSDEEP

6144:7yXm01Y/Ak/HplW+mTodH3UicxA5YylWVkRV:uXm0C/x/JlW+Ic48sV4V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2232	0f3ace680f8970915f343bdc44bd8af0.exe

Executes dropped EXE 1 IoCs

pid	Process
2232	0f3ace680f8970915f343bdc44bd8af0.exe

Loads dropped DLL 1 IoCs

pid	Process
2240	0f3ace680f8970915f343bdc44bd8af0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2232	0f3ace680f8970915f343bdc44bd8af0.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2232	0f3ace680f8970915f343bdc44bd8af0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2240	0f3ace680f8970915f343bdc44bd8af0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2240	0f3ace680f8970915f343bdc44bd8af0.exe
2232	0f3ace680f8970915f343bdc44bd8af0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2232	2240	0f3ace680f8970915f343bdc44bd8af0.exe	28
PID 2240 wrote to memory of 2232	2240	0f3ace680f8970915f343bdc44bd8af0.exe	28
PID 2240 wrote to memory of 2232	2240	0f3ace680f8970915f343bdc44bd8af0.exe	28
PID 2240 wrote to memory of 2232	2240	0f3ace680f8970915f343bdc44bd8af0.exe	28
PID 2232 wrote to memory of 2552	2232	0f3ace680f8970915f343bdc44bd8af0.exe	29
PID 2232 wrote to memory of 2552	2232	0f3ace680f8970915f343bdc44bd8af0.exe	29
PID 2232 wrote to memory of 2552	2232	0f3ace680f8970915f343bdc44bd8af0.exe	29
PID 2232 wrote to memory of 2552	2232	0f3ace680f8970915f343bdc44bd8af0.exe	29

C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe
"C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe
  C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe

Filesize
242KB

MD5
e613210f127875dd2107f6661aeefae2

SHA1
da33028545dfd2f111a34923a2ae36a64e77a557

SHA256
c82dfa2680829ebaee52c20a511d6a9df6b7a12e6957857095de33de956db5e2

SHA512
5adcaa30d7227ae84468e2c0eb12a6e921d7dac276e3bb77b20850c457784ec2fcc75f0ee172df801243c00ff2b0fdc5d8d2edca6057be15491de60ef613bd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe

Filesize
65KB

MD5
44cb02833ee4e75576ac398f913cf88e

SHA1
29cfb74246a31b16bb032cae72c39b17ca971e50

SHA256
1205f2b4cee38af6e3ffd09dd72d12ef389c68a879ed26ee2928166c125fc872

SHA512
a265f8f2bf37c7b27dcef3074a2c05d9d0824e50afba60d3c02f371e42b569df7d52bb1e56b93e944cb06ecc2d2cb286b5719600aab7dcd154f1aa7817b20277

Download Submit
memory/2232-18-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2232-20-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download
memory/2232-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-29-0x0000000001580000-0x00000000015E7000-memory.dmp

Filesize
412KB

Download
memory/2232-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2240-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2240-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2240-2-0x0000000000190000-0x0000000000247000-memory.dmp

Filesize
732KB

Download
memory/2240-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2240-16-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download