c28d1c031314784ee4669e04c975ded43d12cf3cbbd21365483a63f311bb5198

Analysis

max time kernel
140s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4737c06ec36981b3c5c0b3621eb6c765.exe
Size

1000KB
MD5

4737c06ec36981b3c5c0b3621eb6c765
SHA1

74b7a5193618d1c2ac55b427b8af874e283e405d
SHA256

c28d1c031314784ee4669e04c975ded43d12cf3cbbd21365483a63f311bb5198
SHA512

1c90094f6dcb95f2709ec94507e2c83f4d45231e9c2f2454870dc5e390e8a2fa1553c9ee8113fa886955dd2fb012623062468bb32f5e7b5521ee21d81fdc8510
SSDEEP

24576:p55ogyjoUZ4KMdNnQolmscUpOqbT31B+5vMiqt0gj2ed:j5oRjdMdmjsdp1PqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3192	4737c06ec36981b3c5c0b3621eb6c765.exe

Executes dropped EXE 1 IoCs

pid	Process
3192	4737c06ec36981b3c5c0b3621eb6c765.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3192	4737c06ec36981b3c5c0b3621eb6c765.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3192	4737c06ec36981b3c5c0b3621eb6c765.exe
3192	4737c06ec36981b3c5c0b3621eb6c765.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2464	4737c06ec36981b3c5c0b3621eb6c765.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2464	4737c06ec36981b3c5c0b3621eb6c765.exe
3192	4737c06ec36981b3c5c0b3621eb6c765.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3192	2464	4737c06ec36981b3c5c0b3621eb6c765.exe	91
PID 2464 wrote to memory of 3192	2464	4737c06ec36981b3c5c0b3621eb6c765.exe	91
PID 2464 wrote to memory of 3192	2464	4737c06ec36981b3c5c0b3621eb6c765.exe	91
PID 3192 wrote to memory of 3084	3192	4737c06ec36981b3c5c0b3621eb6c765.exe	93
PID 3192 wrote to memory of 3084	3192	4737c06ec36981b3c5c0b3621eb6c765.exe	93
PID 3192 wrote to memory of 3084	3192	4737c06ec36981b3c5c0b3621eb6c765.exe	93

C:\Users\Admin\AppData\Local\Temp\4737c06ec36981b3c5c0b3621eb6c765.exe
"C:\Users\Admin\AppData\Local\Temp\4737c06ec36981b3c5c0b3621eb6c765.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\4737c06ec36981b3c5c0b3621eb6c765.exe
  C:\Users\Admin\AppData\Local\Temp\4737c06ec36981b3c5c0b3621eb6c765.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\4737c06ec36981b3c5c0b3621eb6c765.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4737c06ec36981b3c5c0b3621eb6c765.exe

Filesize
267KB

MD5
53944206e68b9ceedc97c2affd703a92

SHA1
2eec537e41765c12cf821380e38eefdf9acbb19b

SHA256
5fa1276a4646643297357a61beb138ac0e7ee5abfcdc6955e5a72ad91a4c92ef

SHA512
ccb45749291a32b5dd36e2653acc290ee40e5ca7bbe24595e1b791638244a2971aee8cfaea84216e0fdfbe68ba27a95ae91f1662bba18a667e242c5db063cdb7

Download Submit
memory/2464-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2464-1-0x0000000001600000-0x0000000001683000-memory.dmp

Filesize
524KB

Download
memory/2464-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2464-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3192-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3192-14-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/3192-20-0x0000000004F40000-0x0000000004FBE000-memory.dmp

Filesize
504KB

Download
memory/3192-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3192-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download