80f72712514c4e6b864778ce5a5c2b50563836049564cb7ba903cf5bc10f6ed9

Analysis

max time kernel
161s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f2c2da292e7013106f39f96d4d4f89c.exe
Size

1000KB
MD5

4f2c2da292e7013106f39f96d4d4f89c
SHA1

0fda2e001c048b6a0cbd90c89303f562e6cf5423
SHA256

80f72712514c4e6b864778ce5a5c2b50563836049564cb7ba903cf5bc10f6ed9
SHA512

666dbee32665b5256b7b74e7e12980dcd6dcf8b997fa05b8cbe658cb4dcfb0a20f4f14e2f012f7f7d3d547225001a445f334c22d18fe7763b0222d6f1695cf5f
SSDEEP

24576:krnJW94MrS6tRcdZeBF1B+5vMiqt0gj2ed:kI94MrS6tReeHqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2784	4f2c2da292e7013106f39f96d4d4f89c.exe

Executes dropped EXE 1 IoCs

pid	Process
2784	4f2c2da292e7013106f39f96d4d4f89c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2784	4f2c2da292e7013106f39f96d4d4f89c.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	4f2c2da292e7013106f39f96d4d4f89c.exe
2784	4f2c2da292e7013106f39f96d4d4f89c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2980	4f2c2da292e7013106f39f96d4d4f89c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2980	4f2c2da292e7013106f39f96d4d4f89c.exe
2784	4f2c2da292e7013106f39f96d4d4f89c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2784	2980	4f2c2da292e7013106f39f96d4d4f89c.exe	91
PID 2980 wrote to memory of 2784	2980	4f2c2da292e7013106f39f96d4d4f89c.exe	91
PID 2980 wrote to memory of 2784	2980	4f2c2da292e7013106f39f96d4d4f89c.exe	91
PID 2784 wrote to memory of 4088	2784	4f2c2da292e7013106f39f96d4d4f89c.exe	94
PID 2784 wrote to memory of 4088	2784	4f2c2da292e7013106f39f96d4d4f89c.exe	94
PID 2784 wrote to memory of 4088	2784	4f2c2da292e7013106f39f96d4d4f89c.exe	94

C:\Users\Admin\AppData\Local\Temp\4f2c2da292e7013106f39f96d4d4f89c.exe
"C:\Users\Admin\AppData\Local\Temp\4f2c2da292e7013106f39f96d4d4f89c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\4f2c2da292e7013106f39f96d4d4f89c.exe
  C:\Users\Admin\AppData\Local\Temp\4f2c2da292e7013106f39f96d4d4f89c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\4f2c2da292e7013106f39f96d4d4f89c.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4f2c2da292e7013106f39f96d4d4f89c.exe

Filesize
1000KB

MD5
3001d25cf940e59352736e0f7cb49695

SHA1
24b5020873e9138d13da264cec9c675ef1e2caad

SHA256
d6a97e9d0bed5008d487971cd11046618e009f0ed2af6f38b3639ff2ee94fd2e

SHA512
504d30351495f781fbe4936cf8707c6065bc4f369ea1176b29958d9ea3596c2e3f04672fefb9bbd85cfcbaa2856e5a3ece787bb7bb0b62531f474eb98394e213

Download Submit
memory/2784-14-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2784-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2784-20-0x0000000001680000-0x00000000016FE000-memory.dmp

Filesize
504KB

Download
memory/2784-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2784-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2980-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2980-1-0x0000000001650000-0x00000000016D3000-memory.dmp

Filesize
524KB

Download
memory/2980-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2980-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download