2ad56aa9915febdecd61e8a45d038b249fc2e03b3a571eb73dfd677378e233d4

Analysis

max time kernel
200s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36daa5b4821002fdb8d4f6a5aa113dd7.exe
Size

1000KB
MD5

36daa5b4821002fdb8d4f6a5aa113dd7
SHA1

1108d92742da0dc06228b4327e4dcdf57949f3b0
SHA256

2ad56aa9915febdecd61e8a45d038b249fc2e03b3a571eb73dfd677378e233d4
SHA512

25210e3afa4aacf012cae7ea2d76dead260294e1d346db464598868a3b3cd3344f5b3aed90ee07a1cdafbdbbdd09d0ddb4f652f508b401049541d93720cfe0dd
SSDEEP

12288:m74tnVS9m/aNh8q6/RNL69Bj/u2gyECaBwQ2tb5JLrnylUPqt0gHDS7eyod:xgmah56Jo9BTuh51B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1580	36daa5b4821002fdb8d4f6a5aa113dd7.exe

Executes dropped EXE 1 IoCs

pid	Process
1580	36daa5b4821002fdb8d4f6a5aa113dd7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1580	36daa5b4821002fdb8d4f6a5aa113dd7.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1580	36daa5b4821002fdb8d4f6a5aa113dd7.exe
1580	36daa5b4821002fdb8d4f6a5aa113dd7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2072	36daa5b4821002fdb8d4f6a5aa113dd7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2072	36daa5b4821002fdb8d4f6a5aa113dd7.exe
1580	36daa5b4821002fdb8d4f6a5aa113dd7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1580	2072	36daa5b4821002fdb8d4f6a5aa113dd7.exe	93
PID 2072 wrote to memory of 1580	2072	36daa5b4821002fdb8d4f6a5aa113dd7.exe	93
PID 2072 wrote to memory of 1580	2072	36daa5b4821002fdb8d4f6a5aa113dd7.exe	93
PID 1580 wrote to memory of 1728	1580	36daa5b4821002fdb8d4f6a5aa113dd7.exe	97
PID 1580 wrote to memory of 1728	1580	36daa5b4821002fdb8d4f6a5aa113dd7.exe	97
PID 1580 wrote to memory of 1728	1580	36daa5b4821002fdb8d4f6a5aa113dd7.exe	97

C:\Users\Admin\AppData\Local\Temp\36daa5b4821002fdb8d4f6a5aa113dd7.exe
"C:\Users\Admin\AppData\Local\Temp\36daa5b4821002fdb8d4f6a5aa113dd7.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\36daa5b4821002fdb8d4f6a5aa113dd7.exe
  C:\Users\Admin\AppData\Local\Temp\36daa5b4821002fdb8d4f6a5aa113dd7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\36daa5b4821002fdb8d4f6a5aa113dd7.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36daa5b4821002fdb8d4f6a5aa113dd7.exe

Filesize
1000KB

MD5
c231c13d81e45414d0b402a64f059f12

SHA1
bc62e040f319b44ef67a87e5fa5ff13a0befa71a

SHA256
903ec72f0ed7f173ea9997287cefda09c7e2cbd4ba642c032c364e00aa657eb9

SHA512
d58659042403ac9c851e6c16bdd37d007024bdd25cf511f284947b334d577e059ca71e5b4fce1347ec0707accca70a5d49ad8209e1c8eff2f6f5db2e8fd3ab2b

Download Submit
memory/1580-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1580-14-0x0000000001650000-0x00000000016D3000-memory.dmp

Filesize
524KB

Download
memory/1580-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1580-20-0x0000000004F60000-0x0000000004FDE000-memory.dmp

Filesize
504KB

Download
memory/1580-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2072-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2072-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2072-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2072-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download