bb2b6c3351c5434f39d97ae64404dd3530355d6e246614f3edddd4c36f996d13

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 04:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5803282309361e89a4160f6b21619b80.exe
Size

506KB
MD5

5803282309361e89a4160f6b21619b80
SHA1

ae554eaca14ad325e0768e93919e1091b4811606
SHA256

bb2b6c3351c5434f39d97ae64404dd3530355d6e246614f3edddd4c36f996d13
SHA512

4484c9fc4b3ed599768204ea7d08250aa9ac9aab7eec1c4aef569ae69d2f8dce7f0a1f1c139c32ee4403d0ed49e0ae6714852f284c05847341f4291c7a87394d
SSDEEP

12288:8Z7vk61QKjEAt3lSY3OCnq6rKj2iY3iJJatqMEX87TqtDQ+:8Z7L7vIMOmq6GjzY3nsM6CTq1h

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
396	5803282309361e89a4160f6b21619b80.exe

Executes dropped EXE 1 IoCs

pid	Process
396	5803282309361e89a4160f6b21619b80.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
396	5803282309361e89a4160f6b21619b80.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
396	5803282309361e89a4160f6b21619b80.exe
396	5803282309361e89a4160f6b21619b80.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2300	5803282309361e89a4160f6b21619b80.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2300	5803282309361e89a4160f6b21619b80.exe
396	5803282309361e89a4160f6b21619b80.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 396	2300	5803282309361e89a4160f6b21619b80.exe	90
PID 2300 wrote to memory of 396	2300	5803282309361e89a4160f6b21619b80.exe	90
PID 2300 wrote to memory of 396	2300	5803282309361e89a4160f6b21619b80.exe	90
PID 396 wrote to memory of 1416	396	5803282309361e89a4160f6b21619b80.exe	92
PID 396 wrote to memory of 1416	396	5803282309361e89a4160f6b21619b80.exe	92
PID 396 wrote to memory of 1416	396	5803282309361e89a4160f6b21619b80.exe	92

C:\Users\Admin\AppData\Local\Temp\5803282309361e89a4160f6b21619b80.exe
"C:\Users\Admin\AppData\Local\Temp\5803282309361e89a4160f6b21619b80.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\5803282309361e89a4160f6b21619b80.exe
  C:\Users\Admin\AppData\Local\Temp\5803282309361e89a4160f6b21619b80.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5803282309361e89a4160f6b21619b80.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5803282309361e89a4160f6b21619b80.exe

Filesize
58KB

MD5
343b0dda2394a1d0de6bd4ae7b43e8c5

SHA1
d4360dc3d24ea734dee5caf8437eb33a7e00ac0b

SHA256
46a55ff7978bc8d8f77ce46673a129749eaabc3d2951d32e03f0a976cc96390e

SHA512
beb36ed34a73fc1a5acf3c373cd9214b9d124c3daba591fcec22c9d00c8d3a1b72115b0874c2ba9b29b31f5fbd372ba2d652c14fa334a9e9c85b21d128f06fbe

Download Submit
memory/396-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/396-16-0x00000000016A0000-0x0000000001723000-memory.dmp

Filesize
524KB

Download
memory/396-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/396-23-0x0000000004F30000-0x0000000004FAE000-memory.dmp

Filesize
504KB

Download
memory/396-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2300-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2300-1-0x0000000001690000-0x0000000001713000-memory.dmp

Filesize
524KB

Download
memory/2300-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2300-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download