fecc74aa721e7297f18e9a658a8e4a1de148c81bad596ee21f2e77d90f4c80df

Analysis

max time kernel
149s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54dba09ffda8e11d6cf4fbb7a187c7d9.exe
Size

771KB
MD5

54dba09ffda8e11d6cf4fbb7a187c7d9
SHA1

52cf6b5a441c914659aa818cfc101851ab4a41c1
SHA256

fecc74aa721e7297f18e9a658a8e4a1de148c81bad596ee21f2e77d90f4c80df
SHA512

365e4661408f85b18eb643625345fc66f68218345f068de2e3af0d060d961aa374285e12ee1f2deadd3c9cadd5771b6b9311f378d05d3a5410a16306bb84026d
SSDEEP

24576:1aR/4A3lhoI3S9E9wmDoRIOfg01B+5vM0:1qbi9E9wmURDgmc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3640	54dba09ffda8e11d6cf4fbb7a187c7d9.exe

Executes dropped EXE 1 IoCs

pid	Process
3640	54dba09ffda8e11d6cf4fbb7a187c7d9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3640	54dba09ffda8e11d6cf4fbb7a187c7d9.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3640	54dba09ffda8e11d6cf4fbb7a187c7d9.exe
3640	54dba09ffda8e11d6cf4fbb7a187c7d9.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1772	54dba09ffda8e11d6cf4fbb7a187c7d9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1772	54dba09ffda8e11d6cf4fbb7a187c7d9.exe
3640	54dba09ffda8e11d6cf4fbb7a187c7d9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3640	1772	54dba09ffda8e11d6cf4fbb7a187c7d9.exe	30
PID 1772 wrote to memory of 3640	1772	54dba09ffda8e11d6cf4fbb7a187c7d9.exe	30
PID 1772 wrote to memory of 3640	1772	54dba09ffda8e11d6cf4fbb7a187c7d9.exe	30
PID 3640 wrote to memory of 2060	3640	54dba09ffda8e11d6cf4fbb7a187c7d9.exe	85
PID 3640 wrote to memory of 2060	3640	54dba09ffda8e11d6cf4fbb7a187c7d9.exe	85
PID 3640 wrote to memory of 2060	3640	54dba09ffda8e11d6cf4fbb7a187c7d9.exe	85

C:\Users\Admin\AppData\Local\Temp\54dba09ffda8e11d6cf4fbb7a187c7d9.exe
"C:\Users\Admin\AppData\Local\Temp\54dba09ffda8e11d6cf4fbb7a187c7d9.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\54dba09ffda8e11d6cf4fbb7a187c7d9.exe
  C:\Users\Admin\AppData\Local\Temp\54dba09ffda8e11d6cf4fbb7a187c7d9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\54dba09ffda8e11d6cf4fbb7a187c7d9.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54dba09ffda8e11d6cf4fbb7a187c7d9.exe

Filesize
37KB

MD5
61451fe6cbddcfed9bd07e0f2babee4e

SHA1
7064518104bd54ae1c6ab2f8846a37c26e19ef9c

SHA256
92a2f706de0b29b1e3f70c1c20c8a7218839eccab077c44b26b01b21f06a5bd1

SHA512
4d22c3f49f9c288283a00c25349ddbd2d3f479619800bd22afe99f9752165488c39429587b8ef8b13dfd366904af25c7175ee74b3eb4991de4a9f5e9f2e40bba

Download Submit
memory/1772-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1772-1-0x0000000001660000-0x00000000016E3000-memory.dmp

Filesize
524KB

Download
memory/1772-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1772-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3640-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3640-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/3640-20-0x0000000004F40000-0x0000000004FBE000-memory.dmp

Filesize
504KB

Download
memory/3640-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3640-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download