4cd58ee727fe0fb78a9057c153bd197496e929ba0d635532c5fdd8c052d36907

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 13:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

43da4a5b49ccb925b25e60f22431240f.exe
Size

506KB
MD5

43da4a5b49ccb925b25e60f22431240f
SHA1

558dc8562122e1f7649ce1fd61f931de34591115
SHA256

4cd58ee727fe0fb78a9057c153bd197496e929ba0d635532c5fdd8c052d36907
SHA512

4e3d363f66bf0b1c620b0854d635e3b64c9cdbfc41efb49f33565afc1ebc6815742e983a83c924a7b9284b8a4c3e65b10f37ca6dc747f9426aac444c5904810b
SSDEEP

12288:GKp/JnyLvCDRvZmMQRPjI1goM/iw509IjC:NlyLWX+bI1jw091

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4740	43da4a5b49ccb925b25e60f22431240f.exe

Executes dropped EXE 1 IoCs

pid	Process
4740	43da4a5b49ccb925b25e60f22431240f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4740	43da4a5b49ccb925b25e60f22431240f.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4740	43da4a5b49ccb925b25e60f22431240f.exe
4740	43da4a5b49ccb925b25e60f22431240f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1836	43da4a5b49ccb925b25e60f22431240f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1836	43da4a5b49ccb925b25e60f22431240f.exe
4740	43da4a5b49ccb925b25e60f22431240f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 4740	1836	43da4a5b49ccb925b25e60f22431240f.exe	13
PID 1836 wrote to memory of 4740	1836	43da4a5b49ccb925b25e60f22431240f.exe	13
PID 1836 wrote to memory of 4740	1836	43da4a5b49ccb925b25e60f22431240f.exe	13
PID 4740 wrote to memory of 4696	4740	43da4a5b49ccb925b25e60f22431240f.exe	18
PID 4740 wrote to memory of 4696	4740	43da4a5b49ccb925b25e60f22431240f.exe	18
PID 4740 wrote to memory of 4696	4740	43da4a5b49ccb925b25e60f22431240f.exe	18

C:\Users\Admin\AppData\Local\Temp\43da4a5b49ccb925b25e60f22431240f.exe
"C:\Users\Admin\AppData\Local\Temp\43da4a5b49ccb925b25e60f22431240f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\43da4a5b49ccb925b25e60f22431240f.exe
  C:\Users\Admin\AppData\Local\Temp\43da4a5b49ccb925b25e60f22431240f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\43da4a5b49ccb925b25e60f22431240f.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43da4a5b49ccb925b25e60f22431240f.exe

Filesize
382KB

MD5
440e7674b544e24a433011a40ae6d322

SHA1
3c0fd99781a7a8ec65cb5c50569515ef540da558

SHA256
25ad291d47593698a11d68cca30344224fbc8836d789920969d0c5badb741fd7

SHA512
3d3fd8b91e053994fc3c0cad55816e12f927a309080bfad4fe02e4736692ff63d62e6b9d0951d3849f2502f353fa39c0c3337ff4f8323ddd2acfae83757330c1

Download Submit
memory/1836-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1836-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1836-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1836-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4740-20-0x0000000004F30000-0x0000000004FAE000-memory.dmp

Filesize
504KB

Download
memory/4740-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4740-14-0x0000000001660000-0x00000000016E3000-memory.dmp

Filesize
524KB

Download
memory/4740-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4740-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download