0b61ca37c91378ef5cbf05b0b9e35c89c3bef6f191a8b5766cc871ffcbb7fc50

General

Target

56257041ae6da5696535d3b7b511eea8.exe
Size

1000KB
MD5

56257041ae6da5696535d3b7b511eea8
SHA1

58136cbdc3da4bccd05a02c10f5db7b4a7da8047
SHA256

0b61ca37c91378ef5cbf05b0b9e35c89c3bef6f191a8b5766cc871ffcbb7fc50
SHA512

6c45a1fd5bae50cf610176eab6b3888c10f4278a2e27deb2d4af48cf14b68cdb0122a6d23695f9946e1e3d3485c2c55960437a0a7379e2081f40d109443561a3
SSDEEP

24576:vK5i+NIzLnWsF7Q9qYe3+81B+5vMiqt0gj2ed:2pOzrWs5Q9qPxqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1580	56257041ae6da5696535d3b7b511eea8.exe

Executes dropped EXE 1 IoCs

pid	Process
1580	56257041ae6da5696535d3b7b511eea8.exe

Loads dropped DLL 1 IoCs

pid	Process
2060	56257041ae6da5696535d3b7b511eea8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1580	56257041ae6da5696535d3b7b511eea8.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1580	56257041ae6da5696535d3b7b511eea8.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2060	56257041ae6da5696535d3b7b511eea8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2060	56257041ae6da5696535d3b7b511eea8.exe
1580	56257041ae6da5696535d3b7b511eea8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1580	2060	56257041ae6da5696535d3b7b511eea8.exe	28
PID 2060 wrote to memory of 1580	2060	56257041ae6da5696535d3b7b511eea8.exe	28
PID 2060 wrote to memory of 1580	2060	56257041ae6da5696535d3b7b511eea8.exe	28
PID 2060 wrote to memory of 1580	2060	56257041ae6da5696535d3b7b511eea8.exe	28
PID 1580 wrote to memory of 2592	1580	56257041ae6da5696535d3b7b511eea8.exe	29
PID 1580 wrote to memory of 2592	1580	56257041ae6da5696535d3b7b511eea8.exe	29
PID 1580 wrote to memory of 2592	1580	56257041ae6da5696535d3b7b511eea8.exe	29
PID 1580 wrote to memory of 2592	1580	56257041ae6da5696535d3b7b511eea8.exe	29

C:\Users\Admin\AppData\Local\Temp\56257041ae6da5696535d3b7b511eea8.exe
"C:\Users\Admin\AppData\Local\Temp\56257041ae6da5696535d3b7b511eea8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\56257041ae6da5696535d3b7b511eea8.exe
  C:\Users\Admin\AppData\Local\Temp\56257041ae6da5696535d3b7b511eea8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\56257041ae6da5696535d3b7b511eea8.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\56257041ae6da5696535d3b7b511eea8.exe

Filesize
1000KB

MD5
a415475bf184629c9bfa609d88d278cb

SHA1
22077143e4aee997dcb16e400852aab54e00c878

SHA256
b8661026f511c20e6dc58d62c407cf7c02c4941766bd08fc20ab686fd8065828

SHA512
95c7311b495f4b05b299ed12d55a7baf016fbbd241e18b5bab5f6f2bd912cc42a5e7362159d51105bab6809f37c1a32b15fe263d07199fb0e97f0fccbe64c1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar36CE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\56257041ae6da5696535d3b7b511eea8.exe

Filesize
320KB

MD5
15f4a2e6fef2b14aa2f2b78dbc98e2d1

SHA1
e56ddd4789cbcbf78d7ac231abec5593717121c0

SHA256
ebaa07f616999c2fc33ed72b1cf41f5b03a784ac70dd8be0d5f1470e655c4e66

SHA512
dd156e83158b0a02aa313b70c44abfe3ce02502ff35e34cfbc626f5d43f491715f70029162e847b81b41eba3c1bbc4eec4094e6f5c2b27c02a922ff6974cd56e

Download Submit
memory/1580-20-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1580-18-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/1580-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1580-29-0x0000000002E10000-0x0000000002E8E000-memory.dmp

Filesize
504KB

Download
memory/1580-67-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2060-15-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2060-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2060-12-0x00000000030D0000-0x0000000003153000-memory.dmp

Filesize
524KB

Download
memory/2060-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2060-3-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads