fc78b0f70bc1f75ba095fec002d434bc5045b5e0b5d780757bd6e43b3ebe9095

General

Target

502d5a8ea213fa5e8b3220608069dc99.exe
Size

506KB
MD5

502d5a8ea213fa5e8b3220608069dc99
SHA1

e06ac2805a83943f3cf07e035017aeff60577e98
SHA256

fc78b0f70bc1f75ba095fec002d434bc5045b5e0b5d780757bd6e43b3ebe9095
SHA512

1f273c7a2e48c047413ff6c9dbbd2eb359d0035f0f1d5166dc5e1eb4617bab52c029351ece5357c9677f602d67958f53dc694b379df0fac943ae0fbc4b1aca4a
SSDEEP

12288:x4W5Vte2Gd0QFZeiPsPzYRomUqPkCzSZ/jC:xV5WWQFZeiUPzYRvg/+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2992	502d5a8ea213fa5e8b3220608069dc99.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	502d5a8ea213fa5e8b3220608069dc99.exe

Loads dropped DLL 1 IoCs

pid	Process
2928	502d5a8ea213fa5e8b3220608069dc99.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2992	502d5a8ea213fa5e8b3220608069dc99.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2992	502d5a8ea213fa5e8b3220608069dc99.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2928	502d5a8ea213fa5e8b3220608069dc99.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2928	502d5a8ea213fa5e8b3220608069dc99.exe
2992	502d5a8ea213fa5e8b3220608069dc99.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2992	2928	502d5a8ea213fa5e8b3220608069dc99.exe	16
PID 2928 wrote to memory of 2992	2928	502d5a8ea213fa5e8b3220608069dc99.exe	16
PID 2928 wrote to memory of 2992	2928	502d5a8ea213fa5e8b3220608069dc99.exe	16
PID 2928 wrote to memory of 2992	2928	502d5a8ea213fa5e8b3220608069dc99.exe	16
PID 2992 wrote to memory of 2792	2992	502d5a8ea213fa5e8b3220608069dc99.exe	14
PID 2992 wrote to memory of 2792	2992	502d5a8ea213fa5e8b3220608069dc99.exe	14
PID 2992 wrote to memory of 2792	2992	502d5a8ea213fa5e8b3220608069dc99.exe	14
PID 2992 wrote to memory of 2792	2992	502d5a8ea213fa5e8b3220608069dc99.exe	14

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe" /TN Google_Trk_Updater /F
1⤵
- Creates scheduled task(s)
PID:2792

C:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe
C:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe
"C:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe

Filesize
10KB

MD5
8ecee529b6cc055894183f717bdde0e6

SHA1
891e0479d6dd526280dbade500ef39e51df28fe7

SHA256
4c4651f7fecb4d6209ab8061907c08a9c5e3ef5ae43b0fb07e8335514c3c7eba

SHA512
c73e6e2222b4bf3131a55d1c2464399e42eb8c0facabd022758ca9698d2bb40734117d1c7ed65a0d2ebdce4a0ee51caecb70220e0a08e1becc8ad7b0620769fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe

Filesize
1KB

MD5
30e18a67f4840124de25d47cdd305676

SHA1
c9bbc42864c47f97998a529c42295579a4460255

SHA256
f8bc42127dc114b16140f6eb3b4ccecf605f0c138ba75590fcf111eae95edd31

SHA512
f04a4c7ee7980a6fc7d2d6f6dcefa4644a7bf2cc851b829a76ac50f79383f196764009ac92dcdc0cdd1b856b6d7cb003080fac25a28473269b8a360e71826dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CE3.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D05.tmp

Filesize
1KB

MD5
fa527dcd6b5eb05e72fc51570a2a6608

SHA1
3380c5ef74408265fba2f67e790636d0ad0a51cc

SHA256
4dc7a4a6cb3be2c334a27a49df89f18f8f91749fe6aa1cf28d548e0e0c75ce3d

SHA512
05c0e217c433949cab210102a26ca7f6a765515b228b217e25c7409408fc167b5a59a8494e1181284e9ec72849c90288f3a066faa284e29d871097ec76291a5a

Download Submit
\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe

Filesize
17KB

MD5
4e1497f4faaa854711a19f3cde3ebac1

SHA1
1fea958b9a17cbe9beda420c1aad408b9d6334cb

SHA256
c1c46afa67191d91bfbc1b0cb0e7693ca9a97121a083150bd9bb2c7a5a1eab35

SHA512
71522cc4d9259ad37b3d9b9ee6686ca21f26b0c1b465894b907cb5738384a4b1cb63ca46513639bf62a163c1ed842d862c00734e5b5d5b6676a56ed375f431d4

Download Submit
memory/2928-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2928-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2928-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2928-16-0x0000000002ED0000-0x0000000002F53000-memory.dmp

Filesize
524KB

Download
memory/2928-2-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download
memory/2992-19-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2992-21-0x0000000000350000-0x00000000003D3000-memory.dmp

Filesize
524KB

Download
memory/2992-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2992-29-0x0000000002D40000-0x0000000002DBE000-memory.dmp

Filesize
504KB

Download
memory/2992-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads