Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
7503f33c454ff72f582b1d730cd89471.exe
Resource
win7-20231215-en
General
-
Target
7503f33c454ff72f582b1d730cd89471.exe
-
Size
241KB
-
MD5
7503f33c454ff72f582b1d730cd89471
-
SHA1
8d4a46c0be9ee73f8b6b32459d8998db490a8461
-
SHA256
4409a2d6457405682a5a0ada61573bb53117a5906a4021bc52ec89ec46a08ddb
-
SHA512
cf99c784346caaa71579e735ffd98ae4c7536402ff36eee0ebcb8f0b826106aa3f91871e174c6dc239adc8d1cd30a150856c840933e7715240c782653e757496
-
SSDEEP
6144:Sd+0o58vYv0YMb5627rvzg97XdjBZzL2V:Sd+b6UC6yXgJXN6V
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
7503f33c454ff72f582b1d730cd89471.exepid process 3068 7503f33c454ff72f582b1d730cd89471.exe -
Executes dropped EXE 1 IoCs
Processes:
7503f33c454ff72f582b1d730cd89471.exepid process 3068 7503f33c454ff72f582b1d730cd89471.exe -
Loads dropped DLL 1 IoCs
Processes:
7503f33c454ff72f582b1d730cd89471.exepid process 3028 7503f33c454ff72f582b1d730cd89471.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7503f33c454ff72f582b1d730cd89471.exepid process 3068 7503f33c454ff72f582b1d730cd89471.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7503f33c454ff72f582b1d730cd89471.exepid process 3068 7503f33c454ff72f582b1d730cd89471.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
7503f33c454ff72f582b1d730cd89471.exepid process 3028 7503f33c454ff72f582b1d730cd89471.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
7503f33c454ff72f582b1d730cd89471.exe7503f33c454ff72f582b1d730cd89471.exepid process 3028 7503f33c454ff72f582b1d730cd89471.exe 3068 7503f33c454ff72f582b1d730cd89471.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7503f33c454ff72f582b1d730cd89471.exe7503f33c454ff72f582b1d730cd89471.exedescription pid process target process PID 3028 wrote to memory of 3068 3028 7503f33c454ff72f582b1d730cd89471.exe 7503f33c454ff72f582b1d730cd89471.exe PID 3028 wrote to memory of 3068 3028 7503f33c454ff72f582b1d730cd89471.exe 7503f33c454ff72f582b1d730cd89471.exe PID 3028 wrote to memory of 3068 3028 7503f33c454ff72f582b1d730cd89471.exe 7503f33c454ff72f582b1d730cd89471.exe PID 3028 wrote to memory of 3068 3028 7503f33c454ff72f582b1d730cd89471.exe 7503f33c454ff72f582b1d730cd89471.exe PID 3068 wrote to memory of 2852 3068 7503f33c454ff72f582b1d730cd89471.exe schtasks.exe PID 3068 wrote to memory of 2852 3068 7503f33c454ff72f582b1d730cd89471.exe schtasks.exe PID 3068 wrote to memory of 2852 3068 7503f33c454ff72f582b1d730cd89471.exe schtasks.exe PID 3068 wrote to memory of 2852 3068 7503f33c454ff72f582b1d730cd89471.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exe"C:\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exeC:\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:2852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CabF7D.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\TarF90.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
\Users\Admin\AppData\Local\Temp\7503f33c454ff72f582b1d730cd89471.exeFilesize
241KB
MD5e93b9329f07a2414e1dccef070f78031
SHA1f6ba9971abbfb681e265beb942aa0a53d6e40d87
SHA256a6690d4457b69fda2311a98b3d014a85d59d1160289c193111a4dc217124ae7c
SHA512966bc99f185583a7f767beaf66d346cd7b5f1e4bf3ef3f59eb9ca4fc3f8371b80d54df242cde3d95da5cdea1f440b83ae253b82ceae4750b61d81b7446db57de
-
memory/3028-0-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3028-1-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3028-2-0x0000000000190000-0x0000000000247000-memory.dmpFilesize
732KB
-
memory/3028-15-0x0000000002CF0000-0x0000000002DA7000-memory.dmpFilesize
732KB
-
memory/3028-14-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3068-17-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3068-18-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3068-23-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/3068-28-0x0000000000370000-0x00000000003D6000-memory.dmpFilesize
408KB