a30c0a3f6e2c447d1172f4fa945c6039f29d39f44420d9d7ed6e6f13c7078b1d

Analysis

max time kernel
136s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 08:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

586d66c4ad93371bed2091c7e769122b.exe
Size

483KB
MD5

586d66c4ad93371bed2091c7e769122b
SHA1

00d8d08b369e56be6226f9486077c86cc567a3dd
SHA256

a30c0a3f6e2c447d1172f4fa945c6039f29d39f44420d9d7ed6e6f13c7078b1d
SHA512

d4eba017f443ff2af345f05c1c81987814850c3b52eabffab36443e09a3ef6f8c719d012267cfd23aba136b0ac50f82272abf3e1243c04121f88d7724d7a439f
SSDEEP

12288:+vjjYb3p8vOGgGJenbpS+nswbitwEVzwRIwGAk66y5Z9IinDd:+7GqvP0nFlbIw8c6iTR

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4428	586d66c4ad93371bed2091c7e769122b.exe

Executes dropped EXE 1 IoCs

pid	Process
4428	586d66c4ad93371bed2091c7e769122b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4428	586d66c4ad93371bed2091c7e769122b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4428	586d66c4ad93371bed2091c7e769122b.exe
4428	586d66c4ad93371bed2091c7e769122b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
884	586d66c4ad93371bed2091c7e769122b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
884	586d66c4ad93371bed2091c7e769122b.exe
4428	586d66c4ad93371bed2091c7e769122b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 4428	884	586d66c4ad93371bed2091c7e769122b.exe	88
PID 884 wrote to memory of 4428	884	586d66c4ad93371bed2091c7e769122b.exe	88
PID 884 wrote to memory of 4428	884	586d66c4ad93371bed2091c7e769122b.exe	88
PID 4428 wrote to memory of 4184	4428	586d66c4ad93371bed2091c7e769122b.exe	92
PID 4428 wrote to memory of 4184	4428	586d66c4ad93371bed2091c7e769122b.exe	92
PID 4428 wrote to memory of 4184	4428	586d66c4ad93371bed2091c7e769122b.exe	92

C:\Users\Admin\AppData\Local\Temp\586d66c4ad93371bed2091c7e769122b.exe
"C:\Users\Admin\AppData\Local\Temp\586d66c4ad93371bed2091c7e769122b.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Local\Temp\586d66c4ad93371bed2091c7e769122b.exe
  C:\Users\Admin\AppData\Local\Temp\586d66c4ad93371bed2091c7e769122b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\586d66c4ad93371bed2091c7e769122b.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\586d66c4ad93371bed2091c7e769122b.exe

Filesize
56KB

MD5
9a8b6ac24cec04e1c20fb1e80278942c

SHA1
d538db4d2c7a995df75556d71ae33babc4e008d6

SHA256
b75e3f47e43b967d5533b4549819d7482d563d2235f295fa1808dc5c1ab3a87e

SHA512
3e0bb59b992e947de6ddeab580939431c060c5822d4419ca1ea504792a06b690ca82b7b947a218a53d0519883bf9397ba85b91f58a03d382bdcc4b05af1558b6

Download Submit
memory/884-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/884-1-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download
memory/884-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/884-11-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4428-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4428-16-0x0000000001530000-0x00000000015E7000-memory.dmp

Filesize
732KB

Download
memory/4428-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4428-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4428-20-0x0000000004F30000-0x0000000004F96000-memory.dmp

Filesize
408KB

Download