Overview

overview

7

Static

static

3

c443e51bf4...b9.exe

windows7-x64

7

c443e51bf4...b9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/03/2024, 22:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c443e51bf4e611c69c8dc61af63e5bb9.exe

  • Size

    506KB

  • MD5

    c443e51bf4e611c69c8dc61af63e5bb9

  • SHA1

    ae135b02a8a9ca36493be479994ccc1f458dc7ac

  • SHA256

    186077cdf16112f470f0dd4bc892f52879cf472be0107ebc0ccab33ae5cb0e03

  • SHA512

    9a20af1712a69a176d80edb4ed6a0cb508dcffae092f690df1c7806dc6464763e22358ddd2f9769130182e5c9a8ac03a04886ff31786e72be12908cd5d33060b

  • SSDEEP

    12288:44nC4MC1rb6/bTJ+YFYN439yTsIfD9D1ssBDJzUTVQHVX:44CfIWvV9QNOspCTVy

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c443e51bf4e611c69c8dc61af63e5bb9.exe
    "C:\Users\Admin\AppData\Local\Temp\c443e51bf4e611c69c8dc61af63e5bb9.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Users\Admin\AppData\Local\Temp\c443e51bf4e611c69c8dc61af63e5bb9.exe
      C:\Users\Admin\AppData\Local\Temp\c443e51bf4e611c69c8dc61af63e5bb9.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c443e51bf4e611c69c8dc61af63e5bb9.exe" /TN Google_Trk_Updater /F
        3⤵
        • Creates scheduled task(s)
        PID:1372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\c443e51bf4e611c69c8dc61af63e5bb9.exe
    Filesize

    506KB

    MD5

    9da25b89d9682c4f2c8595bfdde984d9

    SHA1

    1be8408709348b0942fbf25432736de967e77223

    SHA256

    3f008f99475e88cc71e92beb105a3f68c6c63538abb4021462ba3340a9e48e62

    SHA512

    7bef9dabf3fd9fbef240456c41536e26d25bc1b9b6842abf6130d3ee374af517044a8d2149e4267c0ed276544f70727b2b92161c4e074df50a124976e5fc921e

    Download Submit

  • memory/2744-13-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2744-17-0x0000000000160000-0x00000000001E3000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2744-20-0x0000000004F80000-0x0000000004FFE000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2744-21-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2744-27-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4648-0-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/4648-1-0x0000000001510000-0x0000000001593000-memory.dmp

    Filesize

    524KB

    Download

  • memory/4648-2-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/4648-11-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download