ed261fa4167a7eb9aa24693871575b5ab792cf89c96e76738675023e107a1306

Analysis

max time kernel
120s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 22:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

49e1f3b8a68f2f7f30c0d01c091d8557.exe
Size

506KB
MD5

49e1f3b8a68f2f7f30c0d01c091d8557
SHA1

984bd410f02a29f1b63caff7edbc061ef3a87afa
SHA256

ed261fa4167a7eb9aa24693871575b5ab792cf89c96e76738675023e107a1306
SHA512

7ca78e17f120cac8e65b43bbd2492d82ac834acf4bfe8a9342c760be01928bb1e2577004682a396746ac4b0649fcc778260f5cffeeafd2381164055f07a555b4
SSDEEP

12288:Lf8UsQWhZCYBAST0yXrYJfeH4zDef92rH4vadTop3cRGrWF4mJLoaB3tvjUH3aVS:ADQWhk0QyXr0WH4Xef92rHi6I3cRCO4r

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4824	49e1f3b8a68f2f7f30c0d01c091d8557.exe

Executes dropped EXE 1 IoCs

pid	Process
4824	49e1f3b8a68f2f7f30c0d01c091d8557.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4824	49e1f3b8a68f2f7f30c0d01c091d8557.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4824	49e1f3b8a68f2f7f30c0d01c091d8557.exe
4824	49e1f3b8a68f2f7f30c0d01c091d8557.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4636	49e1f3b8a68f2f7f30c0d01c091d8557.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4636	49e1f3b8a68f2f7f30c0d01c091d8557.exe
4824	49e1f3b8a68f2f7f30c0d01c091d8557.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4824	4636	49e1f3b8a68f2f7f30c0d01c091d8557.exe	89
PID 4636 wrote to memory of 4824	4636	49e1f3b8a68f2f7f30c0d01c091d8557.exe	89
PID 4636 wrote to memory of 4824	4636	49e1f3b8a68f2f7f30c0d01c091d8557.exe	89
PID 4824 wrote to memory of 1784	4824	49e1f3b8a68f2f7f30c0d01c091d8557.exe	92
PID 4824 wrote to memory of 1784	4824	49e1f3b8a68f2f7f30c0d01c091d8557.exe	92
PID 4824 wrote to memory of 1784	4824	49e1f3b8a68f2f7f30c0d01c091d8557.exe	92

C:\Users\Admin\AppData\Local\Temp\49e1f3b8a68f2f7f30c0d01c091d8557.exe
"C:\Users\Admin\AppData\Local\Temp\49e1f3b8a68f2f7f30c0d01c091d8557.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\49e1f3b8a68f2f7f30c0d01c091d8557.exe
  C:\Users\Admin\AppData\Local\Temp\49e1f3b8a68f2f7f30c0d01c091d8557.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\49e1f3b8a68f2f7f30c0d01c091d8557.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\49e1f3b8a68f2f7f30c0d01c091d8557.exe

Filesize
506KB

MD5
0cdbc3a0016e27a629ff4a3fd0e34f0c

SHA1
3075dbb3c2cd4ababa8c77184f7f5bcf564c261d

SHA256
c905fd229f88a8caae5c72d314ad1e4fe24f718e1708bb660b12137ab59043c0

SHA512
cee9025eb80cc7bf9fb2427b3535bf19f54322b61fc4f6ca229c9ff29baab15a87ff5da133e284b12dbe7c0a8898d867629384f08c2c130828b63481fd1df2c4

Download Submit
memory/4636-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-1-0x00000000015F0000-0x0000000001673000-memory.dmp

Filesize
524KB

Download
memory/4636-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4636-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4824-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4824-17-0x0000000000170000-0x00000000001F3000-memory.dmp

Filesize
524KB

Download
memory/4824-20-0x0000000004F10000-0x0000000004F8E000-memory.dmp

Filesize
504KB

Download
memory/4824-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4824-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download