2d8bdf5380c7131903d8af261262fc798e07d89a6924afdf1e2150e429a89b68

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 22:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54c5767af5c510a5158a9139e6edeb24.exe
Size

1000KB
MD5

54c5767af5c510a5158a9139e6edeb24
SHA1

222d6ea4b47b9839a7ce95608a8215961f2933a7
SHA256

2d8bdf5380c7131903d8af261262fc798e07d89a6924afdf1e2150e429a89b68
SHA512

1c18a9fd0f594135a6c50a8bca6bd2967e2ab0f0bed9ebc1cdca26c5405b7ef647c12cc04eecd64ddce53131ff30d262c71488ee325540c6ae5a9c02617db2a6
SSDEEP

24576:KVlOKyavREmxx61Kc0T1B+5vMiqt0gj2ed:olORhl0bqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4516	54c5767af5c510a5158a9139e6edeb24.exe

Executes dropped EXE 1 IoCs

pid	Process
4516	54c5767af5c510a5158a9139e6edeb24.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4516	54c5767af5c510a5158a9139e6edeb24.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4516	54c5767af5c510a5158a9139e6edeb24.exe
4516	54c5767af5c510a5158a9139e6edeb24.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
616	54c5767af5c510a5158a9139e6edeb24.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
616	54c5767af5c510a5158a9139e6edeb24.exe
4516	54c5767af5c510a5158a9139e6edeb24.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 4516	616	54c5767af5c510a5158a9139e6edeb24.exe	89
PID 616 wrote to memory of 4516	616	54c5767af5c510a5158a9139e6edeb24.exe	89
PID 616 wrote to memory of 4516	616	54c5767af5c510a5158a9139e6edeb24.exe	89
PID 4516 wrote to memory of 4756	4516	54c5767af5c510a5158a9139e6edeb24.exe	93
PID 4516 wrote to memory of 4756	4516	54c5767af5c510a5158a9139e6edeb24.exe	93
PID 4516 wrote to memory of 4756	4516	54c5767af5c510a5158a9139e6edeb24.exe	93

C:\Users\Admin\AppData\Local\Temp\54c5767af5c510a5158a9139e6edeb24.exe
"C:\Users\Admin\AppData\Local\Temp\54c5767af5c510a5158a9139e6edeb24.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:616
- C:\Users\Admin\AppData\Local\Temp\54c5767af5c510a5158a9139e6edeb24.exe
  C:\Users\Admin\AppData\Local\Temp\54c5767af5c510a5158a9139e6edeb24.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\54c5767af5c510a5158a9139e6edeb24.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54c5767af5c510a5158a9139e6edeb24.exe

Filesize
1000KB

MD5
ad1d221c8737ab4bf051cd87000c456b

SHA1
71a71d63f7c8cc90cce1a6f10de9df338803da29

SHA256
a5bc4b750743bfe5250776a15f1cbf828bf74d79a52d30263ee7f7196bee060a

SHA512
8e54c5dba425bebf712bd8552904701caf179f563c863d888f062c82a757018ed669d481a73180668da3d46b10917f43d593fdf89fbfb5b182192f5552cab82b

Download Submit
memory/616-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/616-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/616-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/616-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4516-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4516-16-0x0000000001640000-0x00000000016C3000-memory.dmp

Filesize
524KB

Download
memory/4516-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4516-20-0x0000000004F10000-0x0000000004F8E000-memory.dmp

Filesize
504KB

Download
memory/4516-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download