6496d4249261a12ff6a3546262ffe90931b59e4d4542ebe057fc9c1baf097b6e

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38cf765ca753d4309215eb08ad61e288.exe
Size

506KB
MD5

38cf765ca753d4309215eb08ad61e288
SHA1

dd08d70f41d44bdaeeb8eacc8135a7d3b2670b50
SHA256

6496d4249261a12ff6a3546262ffe90931b59e4d4542ebe057fc9c1baf097b6e
SHA512

648cf5d3c366b27db1bcb68a482c19842f9d169be4f08011f4310245f7b70abc88542d42aab5fce07dbb49a2322712536c9d334c283f4dc1fa159afecfee7c03
SSDEEP

12288:lU9Nusdjbzmrdp+gijasOzKbtLmG/ZP16RISeKs:6hN2Z2BOzK5qkZkzs

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1708	38cf765ca753d4309215eb08ad61e288.exe

Executes dropped EXE 1 IoCs

pid	Process
1708	38cf765ca753d4309215eb08ad61e288.exe

Loads dropped DLL 1 IoCs

pid	Process
2076	38cf765ca753d4309215eb08ad61e288.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1708	38cf765ca753d4309215eb08ad61e288.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1708	38cf765ca753d4309215eb08ad61e288.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2076	38cf765ca753d4309215eb08ad61e288.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2076	38cf765ca753d4309215eb08ad61e288.exe
1708	38cf765ca753d4309215eb08ad61e288.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1708	2076	38cf765ca753d4309215eb08ad61e288.exe	19
PID 2076 wrote to memory of 1708	2076	38cf765ca753d4309215eb08ad61e288.exe	19
PID 2076 wrote to memory of 1708	2076	38cf765ca753d4309215eb08ad61e288.exe	19
PID 2076 wrote to memory of 1708	2076	38cf765ca753d4309215eb08ad61e288.exe	19
PID 1708 wrote to memory of 2892	1708	38cf765ca753d4309215eb08ad61e288.exe	18
PID 1708 wrote to memory of 2892	1708	38cf765ca753d4309215eb08ad61e288.exe	18
PID 1708 wrote to memory of 2892	1708	38cf765ca753d4309215eb08ad61e288.exe	18
PID 1708 wrote to memory of 2892	1708	38cf765ca753d4309215eb08ad61e288.exe	18

C:\Users\Admin\AppData\Local\Temp\38cf765ca753d4309215eb08ad61e288.exe
"C:\Users\Admin\AppData\Local\Temp\38cf765ca753d4309215eb08ad61e288.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\38cf765ca753d4309215eb08ad61e288.exe
  C:\Users\Admin\AppData\Local\Temp\38cf765ca753d4309215eb08ad61e288.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1708

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\38cf765ca753d4309215eb08ad61e288.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\38cf765ca753d4309215eb08ad61e288.exe

Filesize
93KB

MD5
2f75ea96ab919d0157ef74cbe009ec0e

SHA1
40419f3b7af9222ea6e9d20f4e122d8c3c4b0279

SHA256
086f0396252a80ef477499c977588e7b69774a2314f3e2faeb5787ab14577252

SHA512
7e5ac5a9cd7c973cc6d1bd3dc04d1ab43a58022b6a8d5e6ffcda605b4f7907da760555054788167d1d50cb1f35d67ff2df3f94a04b2e5d50959bc787c76abb50

Download Submit
\Users\Admin\AppData\Local\Temp\38cf765ca753d4309215eb08ad61e288.exe

Filesize
99KB

MD5
c71b3000b43647dbed8856aeed60cd74

SHA1
b72380871696cb7ab0069e93e78c9fe1dd9363fe

SHA256
c577c67fade20038befc80c71594473debbf26f90c64120c22bda606a4dd1cf9

SHA512
cebc93feca938108d736df21b5ee62f36838596cf01a82855203b8dd37eb3d19808bc97ce4beb8f2493ab53db3c6ca25bb4d5af81676f96f6f87a75e55aa9f7b

Download Submit
memory/1708-21-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1708-29-0x0000000001490000-0x000000000150E000-memory.dmp

Filesize
504KB

Download
memory/1708-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1708-18-0x0000000000290000-0x0000000000313000-memory.dmp

Filesize
524KB

Download
memory/1708-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2076-15-0x0000000002EB0000-0x0000000002F33000-memory.dmp

Filesize
524KB

Download
memory/2076-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2076-7-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download
memory/2076-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2076-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download