6e105cc78c32f34a58f8aec0bdac17a2146555d65d677f36d27ab90bb112e2ae

Analysis

max time kernel
122s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13158ba939d9a5ba39667bb2b78d0287.exe
Size

506KB
MD5

13158ba939d9a5ba39667bb2b78d0287
SHA1

c700494eb9e1d89a7fcab0ef53a545dd0e577c4a
SHA256

6e105cc78c32f34a58f8aec0bdac17a2146555d65d677f36d27ab90bb112e2ae
SHA512

ca0f74966045ceb4bcaf41cee05629c4bbbb898cbdb9d5b03261e5e4f45e504b94c03c47fb92abc11068215fbc1ab2af2ada7980f091d08302bcf985edf571c4
SSDEEP

12288:Z0aJLQ9KXA+Id7bpDsweYADTCwfDYTAL+:Z0aJL4b1s1YADmqDqAC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2432	13158ba939d9a5ba39667bb2b78d0287.exe

Executes dropped EXE 1 IoCs

pid	Process
2432	13158ba939d9a5ba39667bb2b78d0287.exe

Loads dropped DLL 1 IoCs

pid	Process
2220	13158ba939d9a5ba39667bb2b78d0287.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2432	13158ba939d9a5ba39667bb2b78d0287.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2432	13158ba939d9a5ba39667bb2b78d0287.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2220	13158ba939d9a5ba39667bb2b78d0287.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2220	13158ba939d9a5ba39667bb2b78d0287.exe
2432	13158ba939d9a5ba39667bb2b78d0287.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2432	2220	13158ba939d9a5ba39667bb2b78d0287.exe	30
PID 2220 wrote to memory of 2432	2220	13158ba939d9a5ba39667bb2b78d0287.exe	30
PID 2220 wrote to memory of 2432	2220	13158ba939d9a5ba39667bb2b78d0287.exe	30
PID 2220 wrote to memory of 2432	2220	13158ba939d9a5ba39667bb2b78d0287.exe	30
PID 2432 wrote to memory of 2692	2432	13158ba939d9a5ba39667bb2b78d0287.exe	28
PID 2432 wrote to memory of 2692	2432	13158ba939d9a5ba39667bb2b78d0287.exe	28
PID 2432 wrote to memory of 2692	2432	13158ba939d9a5ba39667bb2b78d0287.exe	28
PID 2432 wrote to memory of 2692	2432	13158ba939d9a5ba39667bb2b78d0287.exe	28

C:\Users\Admin\AppData\Local\Temp\13158ba939d9a5ba39667bb2b78d0287.exe
"C:\Users\Admin\AppData\Local\Temp\13158ba939d9a5ba39667bb2b78d0287.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\13158ba939d9a5ba39667bb2b78d0287.exe
  C:\Users\Admin\AppData\Local\Temp\13158ba939d9a5ba39667bb2b78d0287.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2432

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\13158ba939d9a5ba39667bb2b78d0287.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2220-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2220-2-0x0000000000360000-0x00000000003E3000-memory.dmp

Filesize
524KB

Download
memory/2220-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2220-15-0x0000000002CC0000-0x0000000002D43000-memory.dmp

Filesize
524KB

Download
memory/2220-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2432-19-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/2432-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2432-28-0x0000000002DD0000-0x0000000002E4E000-memory.dmp

Filesize
504KB

Download
memory/2432-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download