46ab559fa1f8f7b4c4c9de511ee6d9ffa05474d6388fae1dd6bbba1d11c23838

Analysis

max time kernel
151s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58888a2a63e022e26d20eae3c281e4cc.exe
Size

1012KB
MD5

58888a2a63e022e26d20eae3c281e4cc
SHA1

f245af278005876dc735639ada4ca7054ec0fb13
SHA256

46ab559fa1f8f7b4c4c9de511ee6d9ffa05474d6388fae1dd6bbba1d11c23838
SHA512

c4c39d0c4335e99e70fd3435a1e48fe4a0565ee3e0cf5042b47f29ddab9cf7ed911fdb6a01f3055e208c22bb576ae4cd9949a21fe41d4c30c2fbe50e25e748c7
SSDEEP

24576:Hf1QD0v6Xh/uUOq10gzGPTYg1B+5vMiqt0gj2eR:HQVh/dOc0girqO7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4836	58888a2a63e022e26d20eae3c281e4cc.exe

Executes dropped EXE 1 IoCs

pid	Process
4836	58888a2a63e022e26d20eae3c281e4cc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4836	58888a2a63e022e26d20eae3c281e4cc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4836	58888a2a63e022e26d20eae3c281e4cc.exe
4836	58888a2a63e022e26d20eae3c281e4cc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3772	58888a2a63e022e26d20eae3c281e4cc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3772	58888a2a63e022e26d20eae3c281e4cc.exe
4836	58888a2a63e022e26d20eae3c281e4cc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 4836	3772	58888a2a63e022e26d20eae3c281e4cc.exe	93
PID 3772 wrote to memory of 4836	3772	58888a2a63e022e26d20eae3c281e4cc.exe	93
PID 3772 wrote to memory of 4836	3772	58888a2a63e022e26d20eae3c281e4cc.exe	93
PID 4836 wrote to memory of 4904	4836	58888a2a63e022e26d20eae3c281e4cc.exe	95
PID 4836 wrote to memory of 4904	4836	58888a2a63e022e26d20eae3c281e4cc.exe	95
PID 4836 wrote to memory of 4904	4836	58888a2a63e022e26d20eae3c281e4cc.exe	95

C:\Users\Admin\AppData\Local\Temp\58888a2a63e022e26d20eae3c281e4cc.exe
"C:\Users\Admin\AppData\Local\Temp\58888a2a63e022e26d20eae3c281e4cc.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Users\Admin\AppData\Local\Temp\58888a2a63e022e26d20eae3c281e4cc.exe
  C:\Users\Admin\AppData\Local\Temp\58888a2a63e022e26d20eae3c281e4cc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\58888a2a63e022e26d20eae3c281e4cc.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58888a2a63e022e26d20eae3c281e4cc.exe

Filesize
1012KB

MD5
3f2438457b7ad3f712e5ad539182774f

SHA1
dd7996cdb219a1ff409cfbe7ba700a219ed77615

SHA256
d5a045790fa3c4acc1aec8083f4753d6a46434c3374fa09dbb5968ae0765b907

SHA512
1ed41a528ae069b09754dc567a13bfba5b2511a08d01589ba385ee8e5e4f7b516a062fd4941659d25833b5cf371276aec661a362f745d16499c1c3a488a8f98a

Download Submit
memory/3772-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3772-1-0x0000000001680000-0x0000000001703000-memory.dmp

Filesize
524KB

Download
memory/3772-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3772-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4836-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4836-16-0x0000000001630000-0x00000000016B3000-memory.dmp

Filesize
524KB

Download
memory/4836-20-0x0000000004F10000-0x0000000004F8E000-memory.dmp

Filesize
504KB

Download
memory/4836-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4836-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download