ebb6fb0a75ea0a5b310a7cd67defaa7670dc147d6d95857b8a81536aca991ff8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 06:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b9fb1fcb604db5e07e6f8b7950da243.exe
Size

1000KB
MD5

2b9fb1fcb604db5e07e6f8b7950da243
SHA1

dc7bea5f0e5d929c1740f2283531a9ddf3eda1fd
SHA256

ebb6fb0a75ea0a5b310a7cd67defaa7670dc147d6d95857b8a81536aca991ff8
SHA512

6f9645fe2e566e2cc3cca7335cf19427272f0dfbfb624e90837754fba5d7eda1356f4c2d22819b7dbc39237fc6157a82abe5ed230997fe84aa9cecae5c146645
SSDEEP

24576:VWiI9nhGz2PpeJUOwhEbcyduhAeRJ2kHNvAWr1B+5vMiqt0gj2ed:V5I9hG4QN4lRJ/HxAWjqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4600	2b9fb1fcb604db5e07e6f8b7950da243.exe

Executes dropped EXE 1 IoCs

pid	Process
4600	2b9fb1fcb604db5e07e6f8b7950da243.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4600	2b9fb1fcb604db5e07e6f8b7950da243.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4600	2b9fb1fcb604db5e07e6f8b7950da243.exe
4600	2b9fb1fcb604db5e07e6f8b7950da243.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3140	2b9fb1fcb604db5e07e6f8b7950da243.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3140	2b9fb1fcb604db5e07e6f8b7950da243.exe
4600	2b9fb1fcb604db5e07e6f8b7950da243.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4600	3140	2b9fb1fcb604db5e07e6f8b7950da243.exe	89
PID 3140 wrote to memory of 4600	3140	2b9fb1fcb604db5e07e6f8b7950da243.exe	89
PID 3140 wrote to memory of 4600	3140	2b9fb1fcb604db5e07e6f8b7950da243.exe	89
PID 4600 wrote to memory of 3424	4600	2b9fb1fcb604db5e07e6f8b7950da243.exe	91
PID 4600 wrote to memory of 3424	4600	2b9fb1fcb604db5e07e6f8b7950da243.exe	91
PID 4600 wrote to memory of 3424	4600	2b9fb1fcb604db5e07e6f8b7950da243.exe	91

C:\Users\Admin\AppData\Local\Temp\2b9fb1fcb604db5e07e6f8b7950da243.exe
"C:\Users\Admin\AppData\Local\Temp\2b9fb1fcb604db5e07e6f8b7950da243.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\2b9fb1fcb604db5e07e6f8b7950da243.exe
  C:\Users\Admin\AppData\Local\Temp\2b9fb1fcb604db5e07e6f8b7950da243.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\2b9fb1fcb604db5e07e6f8b7950da243.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2b9fb1fcb604db5e07e6f8b7950da243.exe

Filesize
1000KB

MD5
a6060c60be2e3eb6b0b66f415dfffd17

SHA1
7397dbfe891dd756e715ab67fcf6962d5ce000aa

SHA256
86c8ddd561c1388e66f9899951cf7fc963fda34609d6ae347c989dfb8e3bfe19

SHA512
bf66de1c6c0aeec8e35020a9af85d14751e2979faf2b426af780bc5e3911113f9e95225a7c9a492c0a5b965931a17c89b4f8fe354d5aae81b7de2296a984760f

Download Submit
memory/3140-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3140-1-0x0000000001690000-0x0000000001713000-memory.dmp

Filesize
524KB

Download
memory/3140-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3140-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4600-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4600-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4600-20-0x0000000004F70000-0x0000000004FEE000-memory.dmp

Filesize
504KB

Download
memory/4600-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4600-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download