a956148d2270ef056d8b818e2514c01ceb9a6b19799003644368ac7199d7458c

Analysis

max time kernel
122s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41154c35a65899bc18b7eeb3073b76ce.exe
Size

506KB
MD5

41154c35a65899bc18b7eeb3073b76ce
SHA1

c6f6f37885cf55bd61cc88b8ac6f273ee1693e1f
SHA256

a956148d2270ef056d8b818e2514c01ceb9a6b19799003644368ac7199d7458c
SHA512

c3a5efe149b4c712db51d65c47f62627907925e7d53401e3c6f9f53ba94b5ef2c123408b91936456864782d8327e04dfdc619f9301200bc41544911397741a24
SSDEEP

12288:R+yvRP6Stc5GfVH+mrzwhvuE3uINVoi3xio:AyJPxc5GVHlIvN3uIf3P

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2688	41154c35a65899bc18b7eeb3073b76ce.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	41154c35a65899bc18b7eeb3073b76ce.exe

Loads dropped DLL 1 IoCs

pid	Process
2524	41154c35a65899bc18b7eeb3073b76ce.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2688	41154c35a65899bc18b7eeb3073b76ce.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2688	41154c35a65899bc18b7eeb3073b76ce.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2524	41154c35a65899bc18b7eeb3073b76ce.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2524	41154c35a65899bc18b7eeb3073b76ce.exe
2688	41154c35a65899bc18b7eeb3073b76ce.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2688	2524	41154c35a65899bc18b7eeb3073b76ce.exe	28
PID 2524 wrote to memory of 2688	2524	41154c35a65899bc18b7eeb3073b76ce.exe	28
PID 2524 wrote to memory of 2688	2524	41154c35a65899bc18b7eeb3073b76ce.exe	28
PID 2524 wrote to memory of 2688	2524	41154c35a65899bc18b7eeb3073b76ce.exe	28
PID 2688 wrote to memory of 2712	2688	41154c35a65899bc18b7eeb3073b76ce.exe	29
PID 2688 wrote to memory of 2712	2688	41154c35a65899bc18b7eeb3073b76ce.exe	29
PID 2688 wrote to memory of 2712	2688	41154c35a65899bc18b7eeb3073b76ce.exe	29
PID 2688 wrote to memory of 2712	2688	41154c35a65899bc18b7eeb3073b76ce.exe	29

C:\Users\Admin\AppData\Local\Temp\41154c35a65899bc18b7eeb3073b76ce.exe
"C:\Users\Admin\AppData\Local\Temp\41154c35a65899bc18b7eeb3073b76ce.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\41154c35a65899bc18b7eeb3073b76ce.exe
  C:\Users\Admin\AppData\Local\Temp\41154c35a65899bc18b7eeb3073b76ce.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\41154c35a65899bc18b7eeb3073b76ce.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41154c35a65899bc18b7eeb3073b76ce.exe

Filesize
64KB

MD5
b6c0bb7188a7d9cb3fc7ab35d6ab0107

SHA1
44822191ff488e0269dae615ef815d225a92d245

SHA256
2a43fcf879f6bdc5c1c6604786c4a17b22112f58c699f5f11f0cec96202b7d2e

SHA512
475692459db4e23beea278666ae9ddee9342530719acea6007b1e357c2ef56a987b387f86c9408b5a95e95e24dc2d23b16481d9fe32cab2e63c002ada15dd42e

Download Submit
\Users\Admin\AppData\Local\Temp\41154c35a65899bc18b7eeb3073b76ce.exe

Filesize
320KB

MD5
ecd2b0492ff418a735cc5e3bdb6f9c1a

SHA1
5a7edcfac6d836a0dc596770babd8ef91dcbd230

SHA256
bd84bd3fb674c8fe741a7253119bba772fffa5d64696c9e5b885cb59ee510e17

SHA512
2bacddcf90c8c6828fbae7161387cf6cf260276a1beddd9dc13cb2495a47845f21499542fab0ff0b15221ea34c63e78c2e977e156b6b344b298d3f85f290d723

Download Submit
memory/2524-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2524-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2524-2-0x0000000000270000-0x00000000002F3000-memory.dmp

Filesize
524KB

Download
memory/2524-15-0x0000000000300000-0x0000000000383000-memory.dmp

Filesize
524KB

Download
memory/2524-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2688-17-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download
memory/2688-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2688-25-0x0000000002DE0000-0x0000000002E5E000-memory.dmp

Filesize
504KB

Download
memory/2688-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download