Overview

overview

7

Static

static

3

18c1d56028...27.exe

windows7-x64

7

18c1d56028...27.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 12:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    18c1d560280a68e556c61f7a63184c27.exe

  • Size

    1000KB

  • MD5

    18c1d560280a68e556c61f7a63184c27

  • SHA1

    59154a7f91134fc5fb5c995de3d6f26e802cae1e

  • SHA256

    37169a7313530dfc48ee16eb940c7f94d4ba85a905a41b9fa1003917647a44a5

  • SHA512

    fd004e34b05013a32e0c24ed21797b9d04f198cb96160bfd83c637e5ba06e5f40adda4e8183e2b61f7d25f8a38add204b6f9db88c0fd94185f32f9731360d2e6

  • SSDEEP

    24576:w3nPUid96RVCByEiryXy04g1B+5vMiqt0gj2ed:wfUidIRVmyEiGXJqOL

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18c1d560280a68e556c61f7a63184c27.exe
    "C:\Users\Admin\AppData\Local\Temp\18c1d560280a68e556c61f7a63184c27.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Users\Admin\AppData\Local\Temp\18c1d560280a68e556c61f7a63184c27.exe
      C:\Users\Admin\AppData\Local\Temp\18c1d560280a68e556c61f7a63184c27.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\18c1d560280a68e556c61f7a63184c27.exe" /TN Google_Trk_Updater /F
        3⤵
        • Creates scheduled task(s)
        PID:2880

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\18c1d560280a68e556c61f7a63184c27.exe
          Filesize

          1000KB

          MD5

          4cce5fb52afabfdf4e31213fcf2f6488

          SHA1

          9008c6d066c71b1d6726972edc5e0681dc458db4

          SHA256

          9b95ef9013332ab1d045ea45be4e89f9de18e4b3ee81f04edd400f7c8fe5b732

          SHA512

          a52f1a5edf468891f8055db2747b8c5ce72c4898cd987f0e085c1b0abdfedf264d9fec3a03d2118aefde35be04df371858d20cb36f5eb63778a8b54e0f07f302

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CabDDB4.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TarDDF5.tmp
          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

          Download Submit

        • \Users\Admin\AppData\Local\Temp\18c1d560280a68e556c61f7a63184c27.exe
          Filesize

          256KB

          MD5

          30bfdddf1481b05e97ec46c5bfe9c201

          SHA1

          2a9defa54e66a0be9ae67bbfbe10f915a611dd41

          SHA256

          5f3915b05e584c1e25ec197342c5015312544399e23d28fd1e6337252ce6a326

          SHA512

          81449aba94e56b01bbf7024cc87d832a983fcab4c1ce2dc59902d6ef9ce213926f5ad2fbbced7b46a6df1a643a200d93e257864fd3eec2a93ce1bbf4fb991b53

          Download Submit

        • memory/2448-15-0x0000000002E60000-0x0000000002EE3000-memory.dmp

          Filesize

          524KB

          Download

        • memory/2448-0-0x0000000000400000-0x0000000000483000-memory.dmp

          Filesize

          524KB

          Download

        • memory/2448-14-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/2448-2-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/2448-1-0x0000000001490000-0x0000000001513000-memory.dmp

          Filesize

          524KB

          Download

        • memory/2800-18-0x00000000002A0000-0x0000000000323000-memory.dmp

          Filesize

          524KB

          Download

        • memory/2800-20-0x0000000000400000-0x0000000000483000-memory.dmp

          Filesize

          524KB

          Download

        • memory/2800-24-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

          Download

        • memory/2800-28-0x0000000001570000-0x00000000015EE000-memory.dmp

          Filesize

          504KB

          Download

        • memory/2800-65-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

          Download