21a0c14e7eab12cf950fd60c9f53f094fef3293f978a8942ab10f502178ade8b

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 21:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d71aecb2903ea879976db42f2f2c257c.exe
Size

242KB
MD5

d71aecb2903ea879976db42f2f2c257c
SHA1

31e15388640fac71d8a987a1bb4a79c8a099b76a
SHA256

21a0c14e7eab12cf950fd60c9f53f094fef3293f978a8942ab10f502178ade8b
SHA512

9ad97b2978ce17c84fd3fce081e44c0e748f5db2b99b360838cba165d22222f1191c79218953233208ebe3848d141014f260930bf3c959dac040232c7cc4fbff
SSDEEP

6144:jDF6or34Fkf8smX5dUqOFKs9AS+np2lX2+j:jDYorUkffmTxOFKBS+np2lXx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2932	d71aecb2903ea879976db42f2f2c257c.exe

Executes dropped EXE 1 IoCs

pid	Process
2932	d71aecb2903ea879976db42f2f2c257c.exe

Loads dropped DLL 1 IoCs

pid	Process
2864	d71aecb2903ea879976db42f2f2c257c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2932	d71aecb2903ea879976db42f2f2c257c.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2932	d71aecb2903ea879976db42f2f2c257c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2864	d71aecb2903ea879976db42f2f2c257c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2864	d71aecb2903ea879976db42f2f2c257c.exe
2932	d71aecb2903ea879976db42f2f2c257c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2932	2864	d71aecb2903ea879976db42f2f2c257c.exe	28
PID 2864 wrote to memory of 2932	2864	d71aecb2903ea879976db42f2f2c257c.exe	28
PID 2864 wrote to memory of 2932	2864	d71aecb2903ea879976db42f2f2c257c.exe	28
PID 2864 wrote to memory of 2932	2864	d71aecb2903ea879976db42f2f2c257c.exe	28
PID 2932 wrote to memory of 2588	2932	d71aecb2903ea879976db42f2f2c257c.exe	29
PID 2932 wrote to memory of 2588	2932	d71aecb2903ea879976db42f2f2c257c.exe	29
PID 2932 wrote to memory of 2588	2932	d71aecb2903ea879976db42f2f2c257c.exe	29
PID 2932 wrote to memory of 2588	2932	d71aecb2903ea879976db42f2f2c257c.exe	29

C:\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe
"C:\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe
  C:\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe

Filesize
242KB

MD5
ed10a540ef33c200b3102701cdeda79a

SHA1
eddb0d5a0873995f19e5a8920e1df465c47e1546

SHA256
810399602d6e0b4acbc2a56ad6a4a586d65b874f9487a3363894d55b12544607

SHA512
c0e8e634815a5ca111d7a5823d39cc034263219ac4ccbe8468f707c79757f6a13bb903f0ac7a478bfcf5ce20373e8f0fa022ef9ba84aa4657418454b683f59ac

Download Submit
memory/2864-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2864-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2864-2-0x0000000000190000-0x0000000000247000-memory.dmp

Filesize
732KB

Download
memory/2864-15-0x0000000002D20000-0x0000000002DD7000-memory.dmp

Filesize
732KB

Download
memory/2864-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2932-17-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2932-19-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2932-18-0x0000000000190000-0x0000000000247000-memory.dmp

Filesize
732KB

Download
memory/2932-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2932-25-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download