4a4d806848628d45cbb3cdf46555a505f13c313d26854ee09b2cff1b8300734b

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

528d2b9c6a65b2611dc8541f6dd5920a.exe
Size

1000KB
MD5

528d2b9c6a65b2611dc8541f6dd5920a
SHA1

3d2df3a363190eee0a3e4178f22f8acfec9e435b
SHA256

4a4d806848628d45cbb3cdf46555a505f13c313d26854ee09b2cff1b8300734b
SHA512

ec22e4b1075d149506deb6656ababf3d728ff059a16aec99f21e91b54b51ddbd756009b84d507cea780f9d6135f662f1fc5caeea05fd505d4fd46a27d00fb06b
SSDEEP

24576:RyxEoQb29UTbiyRKJ222Qtm89J41B+5vMiqt0gj2ed:M3QS9UTe0S92JqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4180	528d2b9c6a65b2611dc8541f6dd5920a.exe

Executes dropped EXE 1 IoCs

pid	Process
4180	528d2b9c6a65b2611dc8541f6dd5920a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4180	528d2b9c6a65b2611dc8541f6dd5920a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4180	528d2b9c6a65b2611dc8541f6dd5920a.exe
4180	528d2b9c6a65b2611dc8541f6dd5920a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1520	528d2b9c6a65b2611dc8541f6dd5920a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1520	528d2b9c6a65b2611dc8541f6dd5920a.exe
4180	528d2b9c6a65b2611dc8541f6dd5920a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4180	1520	528d2b9c6a65b2611dc8541f6dd5920a.exe	90
PID 1520 wrote to memory of 4180	1520	528d2b9c6a65b2611dc8541f6dd5920a.exe	90
PID 1520 wrote to memory of 4180	1520	528d2b9c6a65b2611dc8541f6dd5920a.exe	90
PID 4180 wrote to memory of 4100	4180	528d2b9c6a65b2611dc8541f6dd5920a.exe	93
PID 4180 wrote to memory of 4100	4180	528d2b9c6a65b2611dc8541f6dd5920a.exe	93
PID 4180 wrote to memory of 4100	4180	528d2b9c6a65b2611dc8541f6dd5920a.exe	93

C:\Users\Admin\AppData\Local\Temp\528d2b9c6a65b2611dc8541f6dd5920a.exe
"C:\Users\Admin\AppData\Local\Temp\528d2b9c6a65b2611dc8541f6dd5920a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\528d2b9c6a65b2611dc8541f6dd5920a.exe
  C:\Users\Admin\AppData\Local\Temp\528d2b9c6a65b2611dc8541f6dd5920a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\528d2b9c6a65b2611dc8541f6dd5920a.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\528d2b9c6a65b2611dc8541f6dd5920a.exe

Filesize
1000KB

MD5
13e079f8480b7527f88a3be9c03ccb73

SHA1
accb51772bc3c7b39d494d993711cdefcb435249

SHA256
8e66159619d14955c8b216c1c182a3809e2482891bd08f05c7688b24eca7a679

SHA512
a757d61a598a1374b6201994de019fa1dd3f836ee75bd0d90631a72ba6ab3f2cef9d76ca1abb001bc4fc5b0f8276a4cf6ddadeea237716fdf7a466c2484b53df

Download Submit
memory/1520-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1520-1-0x0000000001640000-0x00000000016C3000-memory.dmp

Filesize
524KB

Download
memory/1520-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1520-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4180-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4180-14-0x00000000015E0000-0x0000000001663000-memory.dmp

Filesize
524KB

Download
memory/4180-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4180-20-0x0000000004F50000-0x0000000004FCE000-memory.dmp

Filesize
504KB

Download
memory/4180-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download