a93102ee94ebf425dc428660d6825a21febeb0358b7573397bf2df3f23364a96

Analysis

max time kernel
152s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bf1ddc71a4272901704783138d5447c.exe
Size

771KB
MD5

4bf1ddc71a4272901704783138d5447c
SHA1

01db75c5ba23c369fa93a29c95a93e9564dad8ca
SHA256

a93102ee94ebf425dc428660d6825a21febeb0358b7573397bf2df3f23364a96
SHA512

f17e6061427b48b76e1f4013bb74db03138a1c7f2ad3e14ee2da67015ff570c7feaf27d5e6592be0f316336facc3d42adc804418276bbc2bb6d1a65bee51ef0e
SSDEEP

12288:YqnEcF8COQSp8sW3DpAFuyyGD1g26Em3az2ECaBwQ2tb5JLrnyl0:DpAp8sWzpAnyGpgT34F1B+5vM0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1952	4bf1ddc71a4272901704783138d5447c.exe

Executes dropped EXE 1 IoCs

pid	Process
1952	4bf1ddc71a4272901704783138d5447c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1952	4bf1ddc71a4272901704783138d5447c.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1952	4bf1ddc71a4272901704783138d5447c.exe
1952	4bf1ddc71a4272901704783138d5447c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2136	4bf1ddc71a4272901704783138d5447c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2136	4bf1ddc71a4272901704783138d5447c.exe
1952	4bf1ddc71a4272901704783138d5447c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1952	2136	4bf1ddc71a4272901704783138d5447c.exe	91
PID 2136 wrote to memory of 1952	2136	4bf1ddc71a4272901704783138d5447c.exe	91
PID 2136 wrote to memory of 1952	2136	4bf1ddc71a4272901704783138d5447c.exe	91
PID 1952 wrote to memory of 2176	1952	4bf1ddc71a4272901704783138d5447c.exe	92
PID 1952 wrote to memory of 2176	1952	4bf1ddc71a4272901704783138d5447c.exe	92
PID 1952 wrote to memory of 2176	1952	4bf1ddc71a4272901704783138d5447c.exe	92

C:\Users\Admin\AppData\Local\Temp\4bf1ddc71a4272901704783138d5447c.exe
"C:\Users\Admin\AppData\Local\Temp\4bf1ddc71a4272901704783138d5447c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\4bf1ddc71a4272901704783138d5447c.exe
  C:\Users\Admin\AppData\Local\Temp\4bf1ddc71a4272901704783138d5447c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\4bf1ddc71a4272901704783138d5447c.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4bf1ddc71a4272901704783138d5447c.exe

Filesize
585KB

MD5
9de53254ef9270b02ad59cc64acb2d2c

SHA1
a149d4d2d091278d02fdcf3c2ee0cd65f402b7df

SHA256
a624e2f0f365ac8916c8e061b8ace72516f2ef2744e31e65eedd5c6338fa4e23

SHA512
4e8d14e03dbb57901fb9a51052b29dc9805bea0124dab9cb3e944e7f8d35d1082d491c1a15658e1acf6d042fb2674d5d334aa8f6e4c6668d29c739c967627c18

Download Submit
memory/1952-15-0x0000000001670000-0x00000000016F3000-memory.dmp

Filesize
524KB

Download
memory/1952-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1952-20-0x0000000004F40000-0x0000000004FBE000-memory.dmp

Filesize
504KB

Download
memory/1952-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1952-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2136-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2136-1-0x00000000015E0000-0x0000000001663000-memory.dmp

Filesize
524KB

Download
memory/2136-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2136-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download