9ee0093ab157cb90e0c2179c1517e9be08519cc16765b594241c6d1340a67140

Analysis

max time kernel
137s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57592ea2c66f6380ddc3cc001a12c947.exe
Size

241KB
MD5

57592ea2c66f6380ddc3cc001a12c947
SHA1

41b28aa96e5bbbff1dc4727aeba533a40fe41be8
SHA256

9ee0093ab157cb90e0c2179c1517e9be08519cc16765b594241c6d1340a67140
SHA512

b9cea9b33f925ad1f93961313797568f36d9136c96fead91e19a6df4dd282f23733d45baef07e53f2bf7cbc404afb892de8e0a44f8e06149b31b6f783dcdcc19
SSDEEP

6144:FLgndA9Fzc9/b9cTzh31x5ZNs0j1pUF7c7P/5RUt2ANw:FLgwFS/C/hf5Za4EC/5RUt2P

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4412	57592ea2c66f6380ddc3cc001a12c947.exe

Executes dropped EXE 1 IoCs

pid	Process
4412	57592ea2c66f6380ddc3cc001a12c947.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4412	57592ea2c66f6380ddc3cc001a12c947.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4412	57592ea2c66f6380ddc3cc001a12c947.exe
4412	57592ea2c66f6380ddc3cc001a12c947.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1372	57592ea2c66f6380ddc3cc001a12c947.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1372	57592ea2c66f6380ddc3cc001a12c947.exe
4412	57592ea2c66f6380ddc3cc001a12c947.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4412	1372	57592ea2c66f6380ddc3cc001a12c947.exe	91
PID 1372 wrote to memory of 4412	1372	57592ea2c66f6380ddc3cc001a12c947.exe	91
PID 1372 wrote to memory of 4412	1372	57592ea2c66f6380ddc3cc001a12c947.exe	91
PID 4412 wrote to memory of 4344	4412	57592ea2c66f6380ddc3cc001a12c947.exe	92
PID 4412 wrote to memory of 4344	4412	57592ea2c66f6380ddc3cc001a12c947.exe	92
PID 4412 wrote to memory of 4344	4412	57592ea2c66f6380ddc3cc001a12c947.exe	92

C:\Users\Admin\AppData\Local\Temp\57592ea2c66f6380ddc3cc001a12c947.exe
"C:\Users\Admin\AppData\Local\Temp\57592ea2c66f6380ddc3cc001a12c947.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\57592ea2c66f6380ddc3cc001a12c947.exe
  C:\Users\Admin\AppData\Local\Temp\57592ea2c66f6380ddc3cc001a12c947.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\57592ea2c66f6380ddc3cc001a12c947.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57592ea2c66f6380ddc3cc001a12c947.exe

Filesize
241KB

MD5
add4aaacbe58248777d5260932b176da

SHA1
325d618b335f5265f203b05d2a1aee1ba4feb50e

SHA256
9361fa106969aaff29799da8a365069febc55ee81dce7bd2d2eee6cf4f4cf0a3

SHA512
1d4f4dedf681ec86f3a34b73574b9cb9bb8930be0526556d5db5fb8069d185156b0589c819712e48ec1989042b5bac43cc3c3715b89bf638f1104b21e3a1314a

Download Submit
memory/1372-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1372-1-0x0000000001530000-0x00000000015E7000-memory.dmp

Filesize
732KB

Download
memory/1372-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1372-11-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4412-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4412-14-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download
memory/4412-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4412-20-0x0000000004F70000-0x0000000004FD6000-memory.dmp

Filesize
408KB

Download
memory/4412-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download