1606a4e0484b9da96b2eb49c639afc88f461144a8e62777b0ff05f4f41c265c9

General

Target

413c800774c2169d9764c4b71fe0b6a6.exe
Size

506KB
MD5

413c800774c2169d9764c4b71fe0b6a6
SHA1

27c17fdd878f512e3953ecb1258083866dcd2bc4
SHA256

1606a4e0484b9da96b2eb49c639afc88f461144a8e62777b0ff05f4f41c265c9
SHA512

b30773f1a6b9dfb53c9324eca7719746d7d1b30303c8a0678640b1460df60cbefcaf84bde3ee7a393fbb00b974f6ba81c5e5cbcbce3bbe3f7e403f636d5b1120
SSDEEP

12288:aEotgFF8tuho2cHQn/AY5SSTjhqt/ZyWn:4tcF8t6cH0I2lTwjn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2888	413c800774c2169d9764c4b71fe0b6a6.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	413c800774c2169d9764c4b71fe0b6a6.exe

Loads dropped DLL 1 IoCs

pid	Process
1992	413c800774c2169d9764c4b71fe0b6a6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2888	413c800774c2169d9764c4b71fe0b6a6.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2888	413c800774c2169d9764c4b71fe0b6a6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1992	413c800774c2169d9764c4b71fe0b6a6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1992	413c800774c2169d9764c4b71fe0b6a6.exe
2888	413c800774c2169d9764c4b71fe0b6a6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2888	1992	413c800774c2169d9764c4b71fe0b6a6.exe	18
PID 1992 wrote to memory of 2888	1992	413c800774c2169d9764c4b71fe0b6a6.exe	18
PID 1992 wrote to memory of 2888	1992	413c800774c2169d9764c4b71fe0b6a6.exe	18
PID 1992 wrote to memory of 2888	1992	413c800774c2169d9764c4b71fe0b6a6.exe	18
PID 2888 wrote to memory of 2968	2888	413c800774c2169d9764c4b71fe0b6a6.exe	17
PID 2888 wrote to memory of 2968	2888	413c800774c2169d9764c4b71fe0b6a6.exe	17
PID 2888 wrote to memory of 2968	2888	413c800774c2169d9764c4b71fe0b6a6.exe	17
PID 2888 wrote to memory of 2968	2888	413c800774c2169d9764c4b71fe0b6a6.exe	17

C:\Users\Admin\AppData\Local\Temp\413c800774c2169d9764c4b71fe0b6a6.exe
"C:\Users\Admin\AppData\Local\Temp\413c800774c2169d9764c4b71fe0b6a6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\413c800774c2169d9764c4b71fe0b6a6.exe
  C:\Users\Admin\AppData\Local\Temp\413c800774c2169d9764c4b71fe0b6a6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2888

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\413c800774c2169d9764c4b71fe0b6a6.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\413c800774c2169d9764c4b71fe0b6a6.exe

Filesize
35KB

MD5
140d0271cef5b5bb7b39249ace52b1c6

SHA1
0df99002f7ec84668fdf887dcd66871df25b71dc

SHA256
cfdf10d2916652ec41a98db7f2b6302e865258d4e0b58a8bc35fbd4ac72e5a13

SHA512
218d9a4525759605140ccddb4298cffb1de5a2762b4037b1b444e2bcfb05ddb644d4167aa0ea39ef251301631465fbdefc4eec3b3c2d8460e7329d8a020d91e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1AD3.tmp

Filesize
25KB

MD5
563485c78961ada02cb5c93a150e4ec6

SHA1
25b1ec284f4362bec0a2e4332dadf02c66a47ca6

SHA256
ca44789fdf5a08b36699e96619e6141f2459d3d91d923b9e57ec5c2f8d360a82

SHA512
88eb8a3478313440f7e941f8ef18e458599b84d92976d5be0565ca801c4f06b33186ac9e65ad2b047cefb5845911affffca3fb45defa0d02798c34d899ea9406

Download Submit
\Users\Admin\AppData\Local\Temp\413c800774c2169d9764c4b71fe0b6a6.exe

Filesize
10KB

MD5
f8f0cc93de23c011c9ae38f68f5871b1

SHA1
5f795da1539f56550d6fc822926a88f09eaeafd1

SHA256
9f8be4a47d9c4fbe6d00a1f55ed4b6e3343ded00b6bcd147f3f289078e02dace

SHA512
81329438153becc0d698560fbc2ecc77ff865ecdf8da76d1978dd1832697c43517a7b55930e352afd02de61192b1994aab9e8ac9622415f534acabb15413de88

Download Submit
memory/1992-2-0x0000000000260000-0x00000000002E3000-memory.dmp

Filesize
524KB

Download
memory/1992-16-0x0000000002DE0000-0x0000000002E63000-memory.dmp

Filesize
524KB

Download
memory/1992-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1992-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1992-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2888-19-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2888-21-0x0000000000360000-0x00000000003E3000-memory.dmp

Filesize
524KB

Download
memory/2888-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2888-29-0x0000000002D70000-0x0000000002DEE000-memory.dmp

Filesize
504KB

Download
memory/2888-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads