Analysis
-
max time kernel
154s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 04:40
Static task
static1
Behavioral task
behavioral1
Sample
5583df19938d383f639edd69d7d149e4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5583df19938d383f639edd69d7d149e4.exe
Resource
win10v2004-20231215-en
General
-
Target
5583df19938d383f639edd69d7d149e4.exe
-
Size
506KB
-
MD5
5583df19938d383f639edd69d7d149e4
-
SHA1
0092dd26d3ce598c9aa60fb6bd198f73187d8d2a
-
SHA256
44d3ad6c91e7f66d42c27f125f9ce12148c80b24c4fa1ca25b25fbb42704b27f
-
SHA512
76d6ca5213151c3b212528ee50c2ab0eaf4d14a697aff47d1d32d1c45eb4fcc58bd53bad09109a391f0f5a4d5aa23082bd62509f78d29be691ca856f1f9d366c
-
SSDEEP
12288:3kFqWeTeO6YLRMJ86aJjeuntE+M4rkn/yTDAk9OuZaVyIhR:UATen+6vsEOvTDAk99M
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3856 5583df19938d383f639edd69d7d149e4.exe -
Executes dropped EXE 1 IoCs
pid Process 3856 5583df19938d383f639edd69d7d149e4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3856 5583df19938d383f639edd69d7d149e4.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3856 5583df19938d383f639edd69d7d149e4.exe 3856 5583df19938d383f639edd69d7d149e4.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5080 5583df19938d383f639edd69d7d149e4.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5080 5583df19938d383f639edd69d7d149e4.exe 3856 5583df19938d383f639edd69d7d149e4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5080 wrote to memory of 3856 5080 5583df19938d383f639edd69d7d149e4.exe 91 PID 5080 wrote to memory of 3856 5080 5583df19938d383f639edd69d7d149e4.exe 91 PID 5080 wrote to memory of 3856 5080 5583df19938d383f639edd69d7d149e4.exe 91 PID 3856 wrote to memory of 3496 3856 5583df19938d383f639edd69d7d149e4.exe 93 PID 3856 wrote to memory of 3496 3856 5583df19938d383f639edd69d7d149e4.exe 93 PID 3856 wrote to memory of 3496 3856 5583df19938d383f639edd69d7d149e4.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\5583df19938d383f639edd69d7d149e4.exe"C:\Users\Admin\AppData\Local\Temp\5583df19938d383f639edd69d7d149e4.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\5583df19938d383f639edd69d7d149e4.exeC:\Users\Admin\AppData\Local\Temp\5583df19938d383f639edd69d7d149e4.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5583df19938d383f639edd69d7d149e4.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:3496
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD5f47fa04fa35961a8569e5ee0ca6808a5
SHA1612355e7247097b17bc70ee08a8982f5ed8dd251
SHA25693572afbcb2ea61789a167ea5ccd893c3c812c202706dec496a74f7213d6ad5f
SHA5128a4b82f92324d291d3789716aa764bf9b1e9a53ff49c84d79aa1f56f6d50684a307d92cbf7b7a36688c125ed42cb71e97949caa237d06a2becedb4b67b369eb4