bc9ee14d035d67d99fedbd353217e7015e0cf528a58ccb7266ddf0b6d80e28c4

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

223353ff958e58b3f9f7514367c7e565.exe
Size

1000KB
MD5

223353ff958e58b3f9f7514367c7e565
SHA1

e77734a62164652d7ebe3036ebf6a627827de6fb
SHA256

bc9ee14d035d67d99fedbd353217e7015e0cf528a58ccb7266ddf0b6d80e28c4
SHA512

e8b142daf143d58907e42084fef896ee54e3b910da2fdbe604bcf7dad0de8ee61daafc21476cae39f9080181c98fac28478bb53aa078390aab7c4912aadc203c
SSDEEP

24576:QQql8PNIcCc+5+rwWp1B+5vMiqt0gj2ed:QQqqqv5N4qOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3572	223353ff958e58b3f9f7514367c7e565.exe

Executes dropped EXE 1 IoCs

pid	Process
3572	223353ff958e58b3f9f7514367c7e565.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3572	223353ff958e58b3f9f7514367c7e565.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3572	223353ff958e58b3f9f7514367c7e565.exe
3572	223353ff958e58b3f9f7514367c7e565.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1428	223353ff958e58b3f9f7514367c7e565.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1428	223353ff958e58b3f9f7514367c7e565.exe
3572	223353ff958e58b3f9f7514367c7e565.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 3572	1428	223353ff958e58b3f9f7514367c7e565.exe	92
PID 1428 wrote to memory of 3572	1428	223353ff958e58b3f9f7514367c7e565.exe	92
PID 1428 wrote to memory of 3572	1428	223353ff958e58b3f9f7514367c7e565.exe	92
PID 3572 wrote to memory of 4976	3572	223353ff958e58b3f9f7514367c7e565.exe	94
PID 3572 wrote to memory of 4976	3572	223353ff958e58b3f9f7514367c7e565.exe	94
PID 3572 wrote to memory of 4976	3572	223353ff958e58b3f9f7514367c7e565.exe	94

C:\Users\Admin\AppData\Local\Temp\223353ff958e58b3f9f7514367c7e565.exe
"C:\Users\Admin\AppData\Local\Temp\223353ff958e58b3f9f7514367c7e565.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\223353ff958e58b3f9f7514367c7e565.exe
  C:\Users\Admin\AppData\Local\Temp\223353ff958e58b3f9f7514367c7e565.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\223353ff958e58b3f9f7514367c7e565.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\223353ff958e58b3f9f7514367c7e565.exe

Filesize
560KB

MD5
b718f1c31707a796e41eab3c55e990c8

SHA1
a1ac27a2e40f551a2a4aa5211b2b9d220a37ad26

SHA256
a7541235609904628e920fefd5a136bfc4f7c7a348b9a0546d8c8444a925f2de

SHA512
be9d26e4483cf677e2e5feba12a8aca22c4238f8edeeab06ab3413d8bb8f7e0fbd8087b35e8c2a86545beaf262de3c2673ea1fded978e4f8df659fe63087b38c

Download Submit
memory/1428-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1428-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/1428-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1428-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3572-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3572-14-0x0000000001660000-0x00000000016E3000-memory.dmp

Filesize
524KB

Download
memory/3572-20-0x0000000004F70000-0x0000000004FEE000-memory.dmp

Filesize
504KB

Download
memory/3572-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3572-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download