0f458fdb36794508f19dd9386e493b3cd8f85ea2ed3594e6b86c735c20b6f057

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 14:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1b829075b7325d08c33709318189583f.exe
Size

506KB
MD5

1b829075b7325d08c33709318189583f
SHA1

8eb8fd9c5c7898a2d647edce23a4fac0ca0d69dd
SHA256

0f458fdb36794508f19dd9386e493b3cd8f85ea2ed3594e6b86c735c20b6f057
SHA512

da3d1c7462a193ad1dec3b21e81db4e8f8bf776c7ab11506d198ebd0578afe74b60588a066adfa1be2a8cee7c7d1e2e7c1228a2a56f4009474a954de743d94eb
SSDEEP

12288:wCpjgdjglV5cbmAyFO1C65OYzwa/aNmZnPw3:wC96718Y/aNwC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4048	1b829075b7325d08c33709318189583f.exe

Executes dropped EXE 1 IoCs

pid	Process
4048	1b829075b7325d08c33709318189583f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4048	1b829075b7325d08c33709318189583f.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4048	1b829075b7325d08c33709318189583f.exe
4048	1b829075b7325d08c33709318189583f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4220	1b829075b7325d08c33709318189583f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4220	1b829075b7325d08c33709318189583f.exe
4048	1b829075b7325d08c33709318189583f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4048	4220	1b829075b7325d08c33709318189583f.exe	88
PID 4220 wrote to memory of 4048	4220	1b829075b7325d08c33709318189583f.exe	88
PID 4220 wrote to memory of 4048	4220	1b829075b7325d08c33709318189583f.exe	88
PID 4048 wrote to memory of 4640	4048	1b829075b7325d08c33709318189583f.exe	92
PID 4048 wrote to memory of 4640	4048	1b829075b7325d08c33709318189583f.exe	92
PID 4048 wrote to memory of 4640	4048	1b829075b7325d08c33709318189583f.exe	92

C:\Users\Admin\AppData\Local\Temp\1b829075b7325d08c33709318189583f.exe
"C:\Users\Admin\AppData\Local\Temp\1b829075b7325d08c33709318189583f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\1b829075b7325d08c33709318189583f.exe
  C:\Users\Admin\AppData\Local\Temp\1b829075b7325d08c33709318189583f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1b829075b7325d08c33709318189583f.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b829075b7325d08c33709318189583f.exe

Filesize
506KB

MD5
1ee3f67f628c80416804fed858d20f3e

SHA1
360b520795ddd722f2bb51720f65e840ac366460

SHA256
2f0ebdb6346825e74a0d90c6a247e5ed11fd6560478b0d4d3213cfdb657ac3cc

SHA512
226c69bcaac2b510f6022fcdf94af2468250d7898a7138d49de5b278393c09377e80a098810332bbb7a4f31e8073aa547469c36faa93a5645bc1ce723ecc4815

Download Submit
memory/4048-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4048-14-0x0000000001610000-0x0000000001693000-memory.dmp

Filesize
524KB

Download
memory/4048-20-0x0000000004F10000-0x0000000004F8E000-memory.dmp

Filesize
504KB

Download
memory/4048-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4048-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4220-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4220-1-0x0000000001620000-0x00000000016A3000-memory.dmp

Filesize
524KB

Download
memory/4220-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4220-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download