7ea0dddbc8408010c3cc4367c2e4c6fb57cfd1918a231bb65fb0cc0fe5d9c0cf

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b7d64e25efb8541e6cec8fc85742c9e.exe
Size

242KB
MD5

8b7d64e25efb8541e6cec8fc85742c9e
SHA1

880128470fadd5c23d4cd3aa20f91e83e1809021
SHA256

7ea0dddbc8408010c3cc4367c2e4c6fb57cfd1918a231bb65fb0cc0fe5d9c0cf
SHA512

84bb025186a1efe0c689d5e7342eb7dd240320b261919b2b5024d576b4d790b3c96782f84985f39e4d016cb6935ce2109d11469769bafaac66f4d6edb0bcf1f5
SSDEEP

6144:1wGBCIQbD1yxfhnI5HcUpQc4ncfLtPkic5Kjyy9/5/QNCO:1nBfQbDQbnUrYn4BsiUG34Np

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2864	8b7d64e25efb8541e6cec8fc85742c9e.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	8b7d64e25efb8541e6cec8fc85742c9e.exe

Loads dropped DLL 1 IoCs

pid	Process
2476	8b7d64e25efb8541e6cec8fc85742c9e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2864	8b7d64e25efb8541e6cec8fc85742c9e.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2864	8b7d64e25efb8541e6cec8fc85742c9e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2476	8b7d64e25efb8541e6cec8fc85742c9e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2476	8b7d64e25efb8541e6cec8fc85742c9e.exe
2864	8b7d64e25efb8541e6cec8fc85742c9e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2864	2476	8b7d64e25efb8541e6cec8fc85742c9e.exe	28
PID 2476 wrote to memory of 2864	2476	8b7d64e25efb8541e6cec8fc85742c9e.exe	28
PID 2476 wrote to memory of 2864	2476	8b7d64e25efb8541e6cec8fc85742c9e.exe	28
PID 2476 wrote to memory of 2864	2476	8b7d64e25efb8541e6cec8fc85742c9e.exe	28
PID 2864 wrote to memory of 2852	2864	8b7d64e25efb8541e6cec8fc85742c9e.exe	29
PID 2864 wrote to memory of 2852	2864	8b7d64e25efb8541e6cec8fc85742c9e.exe	29
PID 2864 wrote to memory of 2852	2864	8b7d64e25efb8541e6cec8fc85742c9e.exe	29
PID 2864 wrote to memory of 2852	2864	8b7d64e25efb8541e6cec8fc85742c9e.exe	29

C:\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe
"C:\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe
  C:\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe

Filesize
242KB

MD5
fb6988f599dd6ddc11c28e51fa8601b4

SHA1
e239aa6a0ed9650a87c3bf8d4f7294371f3a1db9

SHA256
c6151587d9e56180b2a8e06fb0a0bb0de823cee267f3842204123c1f3fa490e8

SHA512
d2844e037191d37a55682cd55142f6efacf53872c543b961568ca5d95ddf8f649b92dd432e4b52623393cf7ea31e251e6da042f9e17b1d95fc9321eb6c66bcb0

Download Submit
memory/2476-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2476-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2476-2-0x0000000000310000-0x00000000003C7000-memory.dmp

Filesize
732KB

Download
memory/2476-15-0x0000000002D70000-0x0000000002E27000-memory.dmp

Filesize
732KB

Download
memory/2476-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2864-18-0x0000000000190000-0x0000000000247000-memory.dmp

Filesize
732KB

Download
memory/2864-21-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2864-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2864-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2864-26-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download