Overview

overview

7

Static

static

3

2d576b0988...5d.exe

windows7-x64

7

2d576b0988...5d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d576b0988234b63764b850e5015075d.exe

  • Size

    2.0MB

  • MD5

    2d576b0988234b63764b850e5015075d

  • SHA1

    e61f1f1df0a841349d159c7ec97b818b6d91393a

  • SHA256

    70f3eb4e628006ce78ab43cd5bb92434d403aea5e26645e435618f5317679b59

  • SHA512

    51f5e8db48e132c32b744670aae6d7cb6f1f4f2730abbd78db15102e8098a4aefd2621481fe6b23c345be8d2a82243b90fd97819667dd86db5088f3df2bbb521

  • SSDEEP

    24576:mhR1G/RcMquyep4t/Yceaq1B+5vMiqt0gj2e6lgir/IsDXqqa433mT6z1B+5vMii:mhRgZTKlMqOMlg2/HjC433JqO7

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d576b0988234b63764b850e5015075d.exe
    "C:\Users\Admin\AppData\Local\Temp\2d576b0988234b63764b850e5015075d.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Users\Admin\AppData\Local\Temp\2d576b0988234b63764b850e5015075d.exe
      C:\Users\Admin\AppData\Local\Temp\2d576b0988234b63764b850e5015075d.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\2d576b0988234b63764b850e5015075d.exe" /TN Google_Trk_Updater /F
        3⤵
        • Creates scheduled task(s)
        PID:3508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2d576b0988234b63764b850e5015075d.exe
    Filesize

    17KB

    MD5

    59ca1cc47077d7f6f6eaa286e96f5bc4

    SHA1

    e6e7c1b6d7963165bc8b2c7eaf76068e2b127132

    SHA256

    119fb8659cc9989eb7db926c03db09151208ab6311203d8b3819daf9a3f833b2

    SHA512

    1a581c16300ba3f80229eda179b2de4bd3774974161c82b80780b07db3bd20dfd9cb107dae20c33fd85e9b9070fe7eddd8e487b99754b0a8174b07324690df27

    Download Submit

  • memory/544-0-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/544-2-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/544-1-0x0000000000150000-0x00000000001D3000-memory.dmp

    Filesize

    524KB

    Download

  • memory/544-12-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2136-16-0x0000000001510000-0x0000000001593000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2136-20-0x00000000016A0000-0x000000000171E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2136-21-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2136-13-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2136-27-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download