5c428c1b8da9e185e5d47eaead448aa9f57e3cb101200d39bfc7efca333b7cd1

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a1f5e7a784154d85ef16004431c8ce3.exe
Size

1000KB
MD5

2a1f5e7a784154d85ef16004431c8ce3
SHA1

51de579a2f1ffcacb130180af1ebb5d91d075970
SHA256

5c428c1b8da9e185e5d47eaead448aa9f57e3cb101200d39bfc7efca333b7cd1
SHA512

021fdeac31d7f90ff07d9dc0cab749d2eb61baa560d636113d268af55c3a3e9ee2d0341a305073eb39d04fed99dc8ade059a51950309a936a15aa83f64694c3b
SSDEEP

24576:fku9XmKvOUAHBWlB98QMY1B+5vMiqt0gj2ed:fZiBcBSQLqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5004	2a1f5e7a784154d85ef16004431c8ce3.exe

Executes dropped EXE 1 IoCs

pid	Process
5004	2a1f5e7a784154d85ef16004431c8ce3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5004	2a1f5e7a784154d85ef16004431c8ce3.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5004	2a1f5e7a784154d85ef16004431c8ce3.exe
5004	2a1f5e7a784154d85ef16004431c8ce3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1716	2a1f5e7a784154d85ef16004431c8ce3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1716	2a1f5e7a784154d85ef16004431c8ce3.exe
5004	2a1f5e7a784154d85ef16004431c8ce3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 5004	1716	2a1f5e7a784154d85ef16004431c8ce3.exe	18
PID 1716 wrote to memory of 5004	1716	2a1f5e7a784154d85ef16004431c8ce3.exe	18
PID 1716 wrote to memory of 5004	1716	2a1f5e7a784154d85ef16004431c8ce3.exe	18
PID 5004 wrote to memory of 4332	5004	2a1f5e7a784154d85ef16004431c8ce3.exe	21
PID 5004 wrote to memory of 4332	5004	2a1f5e7a784154d85ef16004431c8ce3.exe	21
PID 5004 wrote to memory of 4332	5004	2a1f5e7a784154d85ef16004431c8ce3.exe	21

C:\Users\Admin\AppData\Local\Temp\2a1f5e7a784154d85ef16004431c8ce3.exe
"C:\Users\Admin\AppData\Local\Temp\2a1f5e7a784154d85ef16004431c8ce3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\2a1f5e7a784154d85ef16004431c8ce3.exe
  C:\Users\Admin\AppData\Local\Temp\2a1f5e7a784154d85ef16004431c8ce3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\2a1f5e7a784154d85ef16004431c8ce3.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2a1f5e7a784154d85ef16004431c8ce3.exe

Filesize
92KB

MD5
ffaf6a61e5cc1f6831a9f63b005011ea

SHA1
946b36bcea01cf4aff8869151df3089e8e466055

SHA256
ba1ab9f6cadef84efa11fe7aea6d0e11b73645849a7ec8282c102a131960041c

SHA512
15baaadbac27e9b43e86343571a31680a62f2e194e6a1cd76b83de01f627016de1cacca7bc98d2485cbf15081f67b3eeaf88c206efc9570dd48833d634393bdf

Download Submit
memory/1716-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1716-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1716-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1716-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/5004-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5004-20-0x0000000004F10000-0x0000000004F8E000-memory.dmp

Filesize
504KB

Download
memory/5004-17-0x00000000016E0000-0x0000000001763000-memory.dmp

Filesize
524KB

Download
memory/5004-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5004-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download