69a0caaf4d65e5d83157815fc8057a667c0e7c9da5ffb78faa556765a99db16b

Analysis

max time kernel
178s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b81a3f4c872501893afd06138af23d1.exe
Size

1000KB
MD5

2b81a3f4c872501893afd06138af23d1
SHA1

625d334c69e5fc524570d9d5b8fe8d60db0b63db
SHA256

69a0caaf4d65e5d83157815fc8057a667c0e7c9da5ffb78faa556765a99db16b
SHA512

cc88afdcea4d5318071de6a6e38bc2bae56cade061d4e3ece03e10c471f94ebd13c3651e9eaa2cecc6c5770bb9a2e1f0096d8691c88595b584e593f192d93263
SSDEEP

24576:UlpZ3/64tbXNx6Fu8n1B+5vMiqt0gj2ed:wBJN0Fu8XqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1468	2b81a3f4c872501893afd06138af23d1.exe

Executes dropped EXE 1 IoCs

pid	Process
1468	2b81a3f4c872501893afd06138af23d1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1468	2b81a3f4c872501893afd06138af23d1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1468	2b81a3f4c872501893afd06138af23d1.exe
1468	2b81a3f4c872501893afd06138af23d1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
944	2b81a3f4c872501893afd06138af23d1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
944	2b81a3f4c872501893afd06138af23d1.exe
1468	2b81a3f4c872501893afd06138af23d1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1468	944	2b81a3f4c872501893afd06138af23d1.exe	89
PID 944 wrote to memory of 1468	944	2b81a3f4c872501893afd06138af23d1.exe	89
PID 944 wrote to memory of 1468	944	2b81a3f4c872501893afd06138af23d1.exe	89
PID 1468 wrote to memory of 2696	1468	2b81a3f4c872501893afd06138af23d1.exe	93
PID 1468 wrote to memory of 2696	1468	2b81a3f4c872501893afd06138af23d1.exe	93
PID 1468 wrote to memory of 2696	1468	2b81a3f4c872501893afd06138af23d1.exe	93

C:\Users\Admin\AppData\Local\Temp\2b81a3f4c872501893afd06138af23d1.exe
"C:\Users\Admin\AppData\Local\Temp\2b81a3f4c872501893afd06138af23d1.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\Temp\2b81a3f4c872501893afd06138af23d1.exe
  C:\Users\Admin\AppData\Local\Temp\2b81a3f4c872501893afd06138af23d1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\2b81a3f4c872501893afd06138af23d1.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2b81a3f4c872501893afd06138af23d1.exe

Filesize
1000KB

MD5
8c6c0b333f7da3d847dee510c742a22d

SHA1
70078114d50a3463a2be847a0012b7aeb4877a18

SHA256
35068fb0a84011c8c427c0426ad81aec0dc17745acfab9ae81a95eda4de7f263

SHA512
45b8023ab40ebdf89912b07e1395311eb62b5551cb980ed8fa5f2a49b619c6286aae37fcb71e5d47f0177975012e26c7190f240cc736e6f89a3b6bb33b186f68

Download Submit
memory/944-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/944-1-0x0000000000170000-0x00000000001F3000-memory.dmp

Filesize
524KB

Download
memory/944-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/944-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1468-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1468-14-0x0000000001640000-0x00000000016C3000-memory.dmp

Filesize
524KB

Download
memory/1468-20-0x0000000004F70000-0x0000000004FEE000-memory.dmp

Filesize
504KB

Download
memory/1468-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download