85c86c07c5ff4db9fa0e40c4bc05ef0219d84342564ee7f65e04ca6db3314fb2

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 15:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5920743e37c40f10319c13540b0e19b4.exe
Size

506KB
MD5

5920743e37c40f10319c13540b0e19b4
SHA1

2d3242bc1c4f0bbd3d576a45b61ed9fd7944f41d
SHA256

85c86c07c5ff4db9fa0e40c4bc05ef0219d84342564ee7f65e04ca6db3314fb2
SHA512

179ce82ef650e40768aae25e7b617edf9e52401a52fa881ba2fe643feb73e6dcd912a6e3588552b9e937cc261708a48c1507d66a606a6de122cb9f1da699216e
SSDEEP

12288:o9bPM8HSkIe5c6MeGxDASbnCwb+Yo28ooXblqN3Hi:opPM8y1uc6My0Cw6YlvoCi

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4868	5920743e37c40f10319c13540b0e19b4.exe

Executes dropped EXE 1 IoCs

pid	Process
4868	5920743e37c40f10319c13540b0e19b4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4868	5920743e37c40f10319c13540b0e19b4.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4868	5920743e37c40f10319c13540b0e19b4.exe
4868	5920743e37c40f10319c13540b0e19b4.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2424	5920743e37c40f10319c13540b0e19b4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2424	5920743e37c40f10319c13540b0e19b4.exe
4868	5920743e37c40f10319c13540b0e19b4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4868	2424	5920743e37c40f10319c13540b0e19b4.exe	91
PID 2424 wrote to memory of 4868	2424	5920743e37c40f10319c13540b0e19b4.exe	91
PID 2424 wrote to memory of 4868	2424	5920743e37c40f10319c13540b0e19b4.exe	91
PID 4868 wrote to memory of 4736	4868	5920743e37c40f10319c13540b0e19b4.exe	92
PID 4868 wrote to memory of 4736	4868	5920743e37c40f10319c13540b0e19b4.exe	92
PID 4868 wrote to memory of 4736	4868	5920743e37c40f10319c13540b0e19b4.exe	92

C:\Users\Admin\AppData\Local\Temp\5920743e37c40f10319c13540b0e19b4.exe
"C:\Users\Admin\AppData\Local\Temp\5920743e37c40f10319c13540b0e19b4.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\5920743e37c40f10319c13540b0e19b4.exe
  C:\Users\Admin\AppData\Local\Temp\5920743e37c40f10319c13540b0e19b4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5920743e37c40f10319c13540b0e19b4.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5920743e37c40f10319c13540b0e19b4.exe

Filesize
506KB

MD5
258343e3b697fe5a73bf4f52189f1113

SHA1
b9fbe19adb67b5596640ee005c452b46a979106d

SHA256
5d141b6980c45844aefc2f7464dcedfaf135040ae8abe0105110ec8c658f526d

SHA512
aa08d72c95fe056fb6dc6a4d4d9f011d33c78b1ed3b644c8fea6c788b61c123566a6e6924912b6e6611d48ba3fa70bd452b69c16d737e7f337497920ba2f74b3

Download Submit
memory/2424-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2424-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/2424-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2424-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4868-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4868-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4868-20-0x0000000004F30000-0x0000000004FAE000-memory.dmp

Filesize
504KB

Download
memory/4868-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4868-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download