6d6bd50f7fd352a1427ad0841d7d87e99b5158aaaa2931241c1d6191b326cd72

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6592b83e67f38d722803443ff8dd8540.exe
Size

506KB
MD5

6592b83e67f38d722803443ff8dd8540
SHA1

a3e66f1be1b1f5821f26ac65ad67b28b78d0f0ce
SHA256

6d6bd50f7fd352a1427ad0841d7d87e99b5158aaaa2931241c1d6191b326cd72
SHA512

31a8d4008d0829b823b81ff061d731373c29183a63b730a58b51fba431df9f89a34a833159304bf4da6955d491887cfe0c0213ff697ab1dbf076f24e56d5b819
SSDEEP

6144:jjlZffuH/xIFU0EugicBhFwdU+ZNHbMLpqkA8zGglUTO67qHm/EdUzRLmddMmevT:jJZ+GLEu/UUHGZ5GglCOLm8dAV8dMDlx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4380	6592b83e67f38d722803443ff8dd8540.exe

Executes dropped EXE 1 IoCs

pid	Process
4380	6592b83e67f38d722803443ff8dd8540.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4380	6592b83e67f38d722803443ff8dd8540.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4380	6592b83e67f38d722803443ff8dd8540.exe
4380	6592b83e67f38d722803443ff8dd8540.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5020	6592b83e67f38d722803443ff8dd8540.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5020	6592b83e67f38d722803443ff8dd8540.exe
4380	6592b83e67f38d722803443ff8dd8540.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4380	5020	6592b83e67f38d722803443ff8dd8540.exe	87
PID 5020 wrote to memory of 4380	5020	6592b83e67f38d722803443ff8dd8540.exe	87
PID 5020 wrote to memory of 4380	5020	6592b83e67f38d722803443ff8dd8540.exe	87
PID 4380 wrote to memory of 2072	4380	6592b83e67f38d722803443ff8dd8540.exe	89
PID 4380 wrote to memory of 2072	4380	6592b83e67f38d722803443ff8dd8540.exe	89
PID 4380 wrote to memory of 2072	4380	6592b83e67f38d722803443ff8dd8540.exe	89

C:\Users\Admin\AppData\Local\Temp\6592b83e67f38d722803443ff8dd8540.exe
"C:\Users\Admin\AppData\Local\Temp\6592b83e67f38d722803443ff8dd8540.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\6592b83e67f38d722803443ff8dd8540.exe
  C:\Users\Admin\AppData\Local\Temp\6592b83e67f38d722803443ff8dd8540.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\6592b83e67f38d722803443ff8dd8540.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6592b83e67f38d722803443ff8dd8540.exe

Filesize
506KB

MD5
1e04be68e110234fc1517f8b33603e90

SHA1
13fb3b63909b460e91de5d513c24c951f845d85b

SHA256
c728f51b841dcd163a0ef8928fb32255555f8e5600a781b0c047cf96b4c6a806

SHA512
b7d4f9b5054ef830b8e8b99492e05cda339255fc377901411f0ec28fd66129bfa2e122ee68847f1215b35b7e19ffcd91bdf213384df7b97394dbe4625827da8e

Download Submit
memory/4380-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4380-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4380-20-0x0000000004F50000-0x0000000004FCE000-memory.dmp

Filesize
504KB

Download
memory/4380-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4380-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5020-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5020-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/5020-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5020-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download