5848719114199ccfb664315ffba0d8c8715a0761646ed6daf2108b5f3028bfe3

Analysis

max time kernel
168s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2525b0f3a69a183eb2d609bb7aeb5b6e.exe
Size

1000KB
MD5

2525b0f3a69a183eb2d609bb7aeb5b6e
SHA1

5334ff947ddf8a36c9fbf0d9c5a2bf97ecc34fbb
SHA256

5848719114199ccfb664315ffba0d8c8715a0761646ed6daf2108b5f3028bfe3
SHA512

07932cc496473e009b1d80280ca88c06431a92fc35d87a298432decf9e97396f1674d42a4ed4fc22eb570eb5d4f08e0bcd72adbac81af977177448a56b2f3f60
SSDEEP

12288:nOY+AA+FcNigV9JAJ+QsYoAKQUehhtTCWc0QEF8avECaBwQ2tb5JLrnylUPqt0gD:nRLAvDCJ+YlHT7c0y1B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2436	2525b0f3a69a183eb2d609bb7aeb5b6e.exe

Executes dropped EXE 1 IoCs

pid	Process
2436	2525b0f3a69a183eb2d609bb7aeb5b6e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2436	2525b0f3a69a183eb2d609bb7aeb5b6e.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2436	2525b0f3a69a183eb2d609bb7aeb5b6e.exe
2436	2525b0f3a69a183eb2d609bb7aeb5b6e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5112	2525b0f3a69a183eb2d609bb7aeb5b6e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5112	2525b0f3a69a183eb2d609bb7aeb5b6e.exe
2436	2525b0f3a69a183eb2d609bb7aeb5b6e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 2436	5112	2525b0f3a69a183eb2d609bb7aeb5b6e.exe	91
PID 5112 wrote to memory of 2436	5112	2525b0f3a69a183eb2d609bb7aeb5b6e.exe	91
PID 5112 wrote to memory of 2436	5112	2525b0f3a69a183eb2d609bb7aeb5b6e.exe	91
PID 2436 wrote to memory of 4952	2436	2525b0f3a69a183eb2d609bb7aeb5b6e.exe	93
PID 2436 wrote to memory of 4952	2436	2525b0f3a69a183eb2d609bb7aeb5b6e.exe	93
PID 2436 wrote to memory of 4952	2436	2525b0f3a69a183eb2d609bb7aeb5b6e.exe	93

C:\Users\Admin\AppData\Local\Temp\2525b0f3a69a183eb2d609bb7aeb5b6e.exe
"C:\Users\Admin\AppData\Local\Temp\2525b0f3a69a183eb2d609bb7aeb5b6e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\2525b0f3a69a183eb2d609bb7aeb5b6e.exe
  C:\Users\Admin\AppData\Local\Temp\2525b0f3a69a183eb2d609bb7aeb5b6e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\2525b0f3a69a183eb2d609bb7aeb5b6e.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2525b0f3a69a183eb2d609bb7aeb5b6e.exe

Filesize
1000KB

MD5
62aafddc66cb84d8577e10ffab7ddc2c

SHA1
515fe6fc3ce4d7cee55c1e4a8a821977028083da

SHA256
de317eb0c54b5e8b56f6c2dbb0aec48144207217ef3067f8cba82f782cb543d2

SHA512
728bd4f015193f8e89048a05dad5c6883110cf411a69720e7099d30004f7219ba8732b7e0a39f9b7df95cb7db81482bd4d957e4a2e1448fec455f42e3a3777cf

Download Submit
memory/2436-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2436-14-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2436-20-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2436-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2436-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5112-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5112-1-0x0000000001610000-0x0000000001693000-memory.dmp

Filesize
524KB

Download
memory/5112-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5112-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download