9b47761635a1ff675a07fe5be0ebe180bf56a7f56bfdb43cc929b2dc0c6648a8

Analysis

max time kernel
91s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64fe721e11dd79678cbe9cb58884d737.exe
Size

506KB
MD5

64fe721e11dd79678cbe9cb58884d737
SHA1

8845c733179b02f657b9f11a30f077f88013268d
SHA256

9b47761635a1ff675a07fe5be0ebe180bf56a7f56bfdb43cc929b2dc0c6648a8
SHA512

54d8cd91893dce4f85b257e506c22140669cd5d90bdc526e2c8ebaa83768a8ff05da47a2df243f4fefe06bbf835edadc729720ad9ca45edb8770725571b9562f
SSDEEP

12288:Q+uPEQ2qyzdVlxUwzQcP/u3ynnHd7F96yPsziRjbcMljD:Q6D7XUwP3nH/96yPsONcMx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1072	64fe721e11dd79678cbe9cb58884d737.exe

Executes dropped EXE 1 IoCs

pid	Process
1072	64fe721e11dd79678cbe9cb58884d737.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1072	64fe721e11dd79678cbe9cb58884d737.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1072	64fe721e11dd79678cbe9cb58884d737.exe
1072	64fe721e11dd79678cbe9cb58884d737.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1276	64fe721e11dd79678cbe9cb58884d737.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1276	64fe721e11dd79678cbe9cb58884d737.exe
1072	64fe721e11dd79678cbe9cb58884d737.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1072	1276	64fe721e11dd79678cbe9cb58884d737.exe	87
PID 1276 wrote to memory of 1072	1276	64fe721e11dd79678cbe9cb58884d737.exe	87
PID 1276 wrote to memory of 1072	1276	64fe721e11dd79678cbe9cb58884d737.exe	87
PID 1072 wrote to memory of 2960	1072	64fe721e11dd79678cbe9cb58884d737.exe	88
PID 1072 wrote to memory of 2960	1072	64fe721e11dd79678cbe9cb58884d737.exe	88
PID 1072 wrote to memory of 2960	1072	64fe721e11dd79678cbe9cb58884d737.exe	88

C:\Users\Admin\AppData\Local\Temp\64fe721e11dd79678cbe9cb58884d737.exe
"C:\Users\Admin\AppData\Local\Temp\64fe721e11dd79678cbe9cb58884d737.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\64fe721e11dd79678cbe9cb58884d737.exe
  C:\Users\Admin\AppData\Local\Temp\64fe721e11dd79678cbe9cb58884d737.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\64fe721e11dd79678cbe9cb58884d737.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64fe721e11dd79678cbe9cb58884d737.exe

Filesize
506KB

MD5
22c86732cf36b4b87d39c9b64a18021d

SHA1
22e2b586d3185cfc2c725ffe7849b52c4812d99f

SHA256
4546ebf59d0cbd39c40f63fd2c7e85520321df2e5a1da1f6cc0bc7f1056044bc

SHA512
c64b8b38aae4b916b0e4e81df5b915e87878772e1def9ed55449b5e1f37b1e80d650f7fdea24e6a1ad01282cb2b6d283d8e16b318fc6a4bdd959b05de0f6c5d8

Download Submit
memory/1072-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1072-14-0x00000000016E0000-0x0000000001763000-memory.dmp

Filesize
524KB

Download
memory/1072-20-0x0000000004F90000-0x000000000500E000-memory.dmp

Filesize
504KB

Download
memory/1072-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1072-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1276-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1276-1-0x0000000001630000-0x00000000016B3000-memory.dmp

Filesize
524KB

Download
memory/1276-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1276-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download