24f2961c2d9af45827f30e6b9e34c5e7f46c3d58bef89be98a4011deb7b6cc32

General

Target

389e80f58104bafa3ecef160b33d108f.exe
Size

506KB
MD5

389e80f58104bafa3ecef160b33d108f
SHA1

42cf21ce6dab3bc568b4d070d2020e920509eaed
SHA256

24f2961c2d9af45827f30e6b9e34c5e7f46c3d58bef89be98a4011deb7b6cc32
SHA512

f8f21beaa369df5119b481ee1f5990cafcd36de16109a7c40262c591d327bd8f83c14e53041e44d80b35713315663323e56b1bfd48d20280cffb5f586553d4d0
SSDEEP

12288:mP4aXUCkvExA4k4paIx5BchC7Vmt62ILFDcVLLB:u4zsxZasrchCpmt6xFc/B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2432	389e80f58104bafa3ecef160b33d108f.exe

Executes dropped EXE 1 IoCs

pid	Process
2432	389e80f58104bafa3ecef160b33d108f.exe

Loads dropped DLL 1 IoCs

pid	Process
2056	389e80f58104bafa3ecef160b33d108f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2432	389e80f58104bafa3ecef160b33d108f.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2432	389e80f58104bafa3ecef160b33d108f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2056	389e80f58104bafa3ecef160b33d108f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2056	389e80f58104bafa3ecef160b33d108f.exe
2432	389e80f58104bafa3ecef160b33d108f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2432	2056	389e80f58104bafa3ecef160b33d108f.exe	28
PID 2056 wrote to memory of 2432	2056	389e80f58104bafa3ecef160b33d108f.exe	28
PID 2056 wrote to memory of 2432	2056	389e80f58104bafa3ecef160b33d108f.exe	28
PID 2056 wrote to memory of 2432	2056	389e80f58104bafa3ecef160b33d108f.exe	28
PID 2432 wrote to memory of 2836	2432	389e80f58104bafa3ecef160b33d108f.exe	29
PID 2432 wrote to memory of 2836	2432	389e80f58104bafa3ecef160b33d108f.exe	29
PID 2432 wrote to memory of 2836	2432	389e80f58104bafa3ecef160b33d108f.exe	29
PID 2432 wrote to memory of 2836	2432	389e80f58104bafa3ecef160b33d108f.exe	29

C:\Users\Admin\AppData\Local\Temp\389e80f58104bafa3ecef160b33d108f.exe
"C:\Users\Admin\AppData\Local\Temp\389e80f58104bafa3ecef160b33d108f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\389e80f58104bafa3ecef160b33d108f.exe
  C:\Users\Admin\AppData\Local\Temp\389e80f58104bafa3ecef160b33d108f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\389e80f58104bafa3ecef160b33d108f.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\389e80f58104bafa3ecef160b33d108f.exe

Filesize
129KB

MD5
2bc1655c88b3a5facc53d2e7ef8fd0fb

SHA1
31288937da35fd3a82cb96aab8894137736b475c

SHA256
01e7a13542bd62f847f85d4a60981cc495aa11c83d15f74f4f0ba7b0ecc93941

SHA512
5eb7f0612b689146834bf44a063d5c6960dbeeb3ca2122779b2d7e31db5ad26e8d6c9ae01b7b2a615d6469bf4a4b9b054eaa1cab42d8f7833302f72dcb589a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\389e80f58104bafa3ecef160b33d108f.exe

Filesize
172KB

MD5
1b9d03695e9f55fc8fe96dac67efa459

SHA1
58208c3bc31b6974ae777371f61fc36f4a60c6a4

SHA256
65745471ecf492a4626e2098c113588939aa267e8e144bf2f7c47909b36a7fe0

SHA512
0b952245fc75497a7caa2ed3e307beecc4aa22f0f4ee83c377b32af53a84d0d9756b939748866b3bcb1e0a83bf3390ab2cb4a821a0912d1d4b71fecd7a91dfa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F68.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
\Users\Admin\AppData\Local\Temp\389e80f58104bafa3ecef160b33d108f.exe

Filesize
506KB

MD5
4642c0db017286f3f96bc251d8456cbe

SHA1
3183690bdd3b13732975751ea122ee9ffcae018a

SHA256
5cb351ee3af23b1e685452073b58bb265df4ba7c0531b0bb67af7e4693c4ae85

SHA512
7fc8d049e438b8138b84516f1f37bbc4669c4cf205f46001cf3a86994aa9281668dcbc88137bbad3a67b6748e6b0341abfac27826eefc23c8c87e75a11c72709

Download Submit
memory/2056-15-0x0000000002BB0000-0x0000000002C33000-memory.dmp

Filesize
524KB

Download
memory/2056-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2056-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2056-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2056-1-0x0000000000320000-0x00000000003A3000-memory.dmp

Filesize
524KB

Download
memory/2432-18-0x0000000000320000-0x00000000003A3000-memory.dmp

Filesize
524KB

Download
memory/2432-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2432-26-0x0000000002D50000-0x0000000002DCE000-memory.dmp

Filesize
504KB

Download
memory/2432-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads