cc9810dc04026e40b7a2214f1485601bceadb9bb147cc5aa75585e86ad21dee3

Analysis

max time kernel
161s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54efaa829a9c88adf11bd771cb27e657.exe
Size

1000KB
MD5

54efaa829a9c88adf11bd771cb27e657
SHA1

3b42a80b3c086da8c3a41637068a06e6d2977a09
SHA256

cc9810dc04026e40b7a2214f1485601bceadb9bb147cc5aa75585e86ad21dee3
SHA512

16debbe5fd8fe8a280df9347958aca31b48506924c296d5e692471aab9bd54834cd4da19269b5741b453918346e0d6636c10df10e093437c778861b0eb1ed963
SSDEEP

12288:nuLeBKVdXr/Eeu6iLtE9X1FwkbvDnbXb95ECaBwQ2tb5JLrnylUPqt0gHDS7eyod:nNBsmzLtEFYkbDbs1B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4500	54efaa829a9c88adf11bd771cb27e657.exe

Executes dropped EXE 1 IoCs

pid	Process
4500	54efaa829a9c88adf11bd771cb27e657.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4500	54efaa829a9c88adf11bd771cb27e657.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4500	54efaa829a9c88adf11bd771cb27e657.exe
4500	54efaa829a9c88adf11bd771cb27e657.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3972	54efaa829a9c88adf11bd771cb27e657.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3972	54efaa829a9c88adf11bd771cb27e657.exe
4500	54efaa829a9c88adf11bd771cb27e657.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 4500	3972	54efaa829a9c88adf11bd771cb27e657.exe	90
PID 3972 wrote to memory of 4500	3972	54efaa829a9c88adf11bd771cb27e657.exe	90
PID 3972 wrote to memory of 4500	3972	54efaa829a9c88adf11bd771cb27e657.exe	90
PID 4500 wrote to memory of 1328	4500	54efaa829a9c88adf11bd771cb27e657.exe	92
PID 4500 wrote to memory of 1328	4500	54efaa829a9c88adf11bd771cb27e657.exe	92
PID 4500 wrote to memory of 1328	4500	54efaa829a9c88adf11bd771cb27e657.exe	92

C:\Users\Admin\AppData\Local\Temp\54efaa829a9c88adf11bd771cb27e657.exe
"C:\Users\Admin\AppData\Local\Temp\54efaa829a9c88adf11bd771cb27e657.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Local\Temp\54efaa829a9c88adf11bd771cb27e657.exe
  C:\Users\Admin\AppData\Local\Temp\54efaa829a9c88adf11bd771cb27e657.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\54efaa829a9c88adf11bd771cb27e657.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54efaa829a9c88adf11bd771cb27e657.exe

Filesize
1000KB

MD5
9aab895a71098ad6638009feff200056

SHA1
73be6ea109156c4249ab2842e59ed156dbd9bcc7

SHA256
f45b41ca7b26e9a6eb5b4ae0321db2fd4020cef741f48df410ed3010727340b1

SHA512
65ad747a59e322f7afd2272feba5f4b9b481d0aec9725ca2483344229e570385075b40d61d9cbff4313ddf510d4d6802feccdacb94a6c7f14f0bc1c61d68cebb

Download Submit
memory/3972-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3972-1-0x0000000001640000-0x00000000016C3000-memory.dmp

Filesize
524KB

Download
memory/3972-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3972-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4500-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4500-16-0x0000000001610000-0x0000000001693000-memory.dmp

Filesize
524KB

Download
memory/4500-20-0x0000000004F80000-0x0000000004FFE000-memory.dmp

Filesize
504KB

Download
memory/4500-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4500-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download