7ea0dddbc8408010c3cc4367c2e4c6fb57cfd1918a231bb65fb0cc0fe5d9c0cf

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b7d64e25efb8541e6cec8fc85742c9e.exe
Size

242KB
MD5

8b7d64e25efb8541e6cec8fc85742c9e
SHA1

880128470fadd5c23d4cd3aa20f91e83e1809021
SHA256

7ea0dddbc8408010c3cc4367c2e4c6fb57cfd1918a231bb65fb0cc0fe5d9c0cf
SHA512

84bb025186a1efe0c689d5e7342eb7dd240320b261919b2b5024d576b4d790b3c96782f84985f39e4d016cb6935ce2109d11469769bafaac66f4d6edb0bcf1f5
SSDEEP

6144:1wGBCIQbD1yxfhnI5HcUpQc4ncfLtPkic5Kjyy9/5/QNCO:1nBfQbDQbnUrYn4BsiUG34Np

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4928	8b7d64e25efb8541e6cec8fc85742c9e.exe

Executes dropped EXE 1 IoCs

pid	Process
4928	8b7d64e25efb8541e6cec8fc85742c9e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4928	8b7d64e25efb8541e6cec8fc85742c9e.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4928	8b7d64e25efb8541e6cec8fc85742c9e.exe
4928	8b7d64e25efb8541e6cec8fc85742c9e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4332	8b7d64e25efb8541e6cec8fc85742c9e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4332	8b7d64e25efb8541e6cec8fc85742c9e.exe
4928	8b7d64e25efb8541e6cec8fc85742c9e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 4928	4332	8b7d64e25efb8541e6cec8fc85742c9e.exe	84
PID 4332 wrote to memory of 4928	4332	8b7d64e25efb8541e6cec8fc85742c9e.exe	84
PID 4332 wrote to memory of 4928	4332	8b7d64e25efb8541e6cec8fc85742c9e.exe	84
PID 4928 wrote to memory of 4372	4928	8b7d64e25efb8541e6cec8fc85742c9e.exe	85
PID 4928 wrote to memory of 4372	4928	8b7d64e25efb8541e6cec8fc85742c9e.exe	85
PID 4928 wrote to memory of 4372	4928	8b7d64e25efb8541e6cec8fc85742c9e.exe	85

C:\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe
"C:\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe
  C:\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8b7d64e25efb8541e6cec8fc85742c9e.exe

Filesize
242KB

MD5
74e857c02cfd5a92d4fe49bd84cfdbce

SHA1
239c883301c0f9aab4996cfaa123688b1829f490

SHA256
dc39d0b6fc3940de994bba30436363df7691d4d6de10e7956b38e5a96a9b1ca0

SHA512
c036e3b30d7ebf80b2ff15eafefdbd3558b8be77c2e269261642be742874113775a28d41314c862e739f754ec84c0f4569385d5c071bda048492dfb75723af26

Download Submit
memory/4332-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4332-1-0x00000000014C0000-0x0000000001577000-memory.dmp

Filesize
732KB

Download
memory/4332-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4332-11-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4928-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4928-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4928-15-0x0000000001530000-0x00000000015E7000-memory.dmp

Filesize
732KB

Download
memory/4928-20-0x0000000004F60000-0x0000000004FC7000-memory.dmp

Filesize
412KB

Download
memory/4928-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download