35071da4720d464ae9fc50270cc7febe2e166a0898f08a1a31a991fafb0b228d

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

701e7f2441bfd90945a58071c7223012.exe
Size

1012KB
MD5

701e7f2441bfd90945a58071c7223012
SHA1

cf5ce054043e52888688e9da9cb2e47c6f5957ae
SHA256

35071da4720d464ae9fc50270cc7febe2e166a0898f08a1a31a991fafb0b228d
SHA512

7ef0ab5efb7bb71162a07e6bf0f267a2a2ada0718b8d16bdb02365b9e060aa4043e823fe5667a6eb4f2817329a8eb1bc414284556b774debaa4719a795d6e4ab
SSDEEP

24576:pOqdqH0tIw4oR8KgLALtiC1B+5vMiqt0gj2eR:pOqUH1wNRyA3qO7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4012	701e7f2441bfd90945a58071c7223012.exe

Executes dropped EXE 1 IoCs

pid	Process
4012	701e7f2441bfd90945a58071c7223012.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4012	701e7f2441bfd90945a58071c7223012.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4012	701e7f2441bfd90945a58071c7223012.exe
4012	701e7f2441bfd90945a58071c7223012.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1992	701e7f2441bfd90945a58071c7223012.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1992	701e7f2441bfd90945a58071c7223012.exe
4012	701e7f2441bfd90945a58071c7223012.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 4012	1992	701e7f2441bfd90945a58071c7223012.exe	88
PID 1992 wrote to memory of 4012	1992	701e7f2441bfd90945a58071c7223012.exe	88
PID 1992 wrote to memory of 4012	1992	701e7f2441bfd90945a58071c7223012.exe	88
PID 4012 wrote to memory of 1100	4012	701e7f2441bfd90945a58071c7223012.exe	89
PID 4012 wrote to memory of 1100	4012	701e7f2441bfd90945a58071c7223012.exe	89
PID 4012 wrote to memory of 1100	4012	701e7f2441bfd90945a58071c7223012.exe	89

C:\Users\Admin\AppData\Local\Temp\701e7f2441bfd90945a58071c7223012.exe
"C:\Users\Admin\AppData\Local\Temp\701e7f2441bfd90945a58071c7223012.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\701e7f2441bfd90945a58071c7223012.exe
  C:\Users\Admin\AppData\Local\Temp\701e7f2441bfd90945a58071c7223012.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\701e7f2441bfd90945a58071c7223012.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\701e7f2441bfd90945a58071c7223012.exe

Filesize
1012KB

MD5
cc663dea9f6cba8950ec312abf3e1aa4

SHA1
8ca97e6449da3962b35e15560c7ab078d52e85b9

SHA256
331d13e7c378100185a4f3ba9e9619f7206be961012d1ca39359308965643736

SHA512
f5fddcb7fa417264e850c776383b3961cbc928b1cdb6d08eebfc5362cfae2fd120a4be1e3b50bd5753a5335d461e69865d902c928b2798c694651577a12c6335

Download Submit
memory/1992-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1992-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/1992-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1992-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4012-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4012-15-0x0000000001610000-0x0000000001693000-memory.dmp

Filesize
524KB

Download
memory/4012-20-0x0000000004F20000-0x0000000004F9E000-memory.dmp

Filesize
504KB

Download
memory/4012-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4012-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download