21a0c14e7eab12cf950fd60c9f53f094fef3293f978a8942ab10f502178ade8b

Analysis

max time kernel
145s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d71aecb2903ea879976db42f2f2c257c.exe
Size

242KB
MD5

d71aecb2903ea879976db42f2f2c257c
SHA1

31e15388640fac71d8a987a1bb4a79c8a099b76a
SHA256

21a0c14e7eab12cf950fd60c9f53f094fef3293f978a8942ab10f502178ade8b
SHA512

9ad97b2978ce17c84fd3fce081e44c0e748f5db2b99b360838cba165d22222f1191c79218953233208ebe3848d141014f260930bf3c959dac040232c7cc4fbff
SSDEEP

6144:jDF6or34Fkf8smX5dUqOFKs9AS+np2lX2+j:jDYorUkffmTxOFKBS+np2lXx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4236	d71aecb2903ea879976db42f2f2c257c.exe

Executes dropped EXE 1 IoCs

pid	Process
4236	d71aecb2903ea879976db42f2f2c257c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4236	d71aecb2903ea879976db42f2f2c257c.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4236	d71aecb2903ea879976db42f2f2c257c.exe
4236	d71aecb2903ea879976db42f2f2c257c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4600	d71aecb2903ea879976db42f2f2c257c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4600	d71aecb2903ea879976db42f2f2c257c.exe
4236	d71aecb2903ea879976db42f2f2c257c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 4236	4600	d71aecb2903ea879976db42f2f2c257c.exe	88
PID 4600 wrote to memory of 4236	4600	d71aecb2903ea879976db42f2f2c257c.exe	88
PID 4600 wrote to memory of 4236	4600	d71aecb2903ea879976db42f2f2c257c.exe	88
PID 4236 wrote to memory of 5048	4236	d71aecb2903ea879976db42f2f2c257c.exe	91
PID 4236 wrote to memory of 5048	4236	d71aecb2903ea879976db42f2f2c257c.exe	91
PID 4236 wrote to memory of 5048	4236	d71aecb2903ea879976db42f2f2c257c.exe	91

C:\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe
"C:\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe
  C:\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d71aecb2903ea879976db42f2f2c257c.exe

Filesize
242KB

MD5
761be7af6d2fd40d399f53550161d6d6

SHA1
2c026efb5a930e7db441bd188c2af9ed8f865801

SHA256
60c347eb71e0ee2c60319ac8d01d030a6127b2c8f297d074c10c249eecbc918f

SHA512
cc7836ea736a726eb73f0234b478449fae42ecee2409573a59492cf4a91ac15d6d3bce09d570fc85e0efa61a6bd64a1e085bc3f4a50bd1429fa19d769bd15163

Download Submit
memory/4236-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4236-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4236-14-0x0000000001670000-0x0000000001727000-memory.dmp

Filesize
732KB

Download
memory/4236-21-0x0000000004F30000-0x0000000004F97000-memory.dmp

Filesize
412KB

Download
memory/4236-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4600-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4600-1-0x0000000001590000-0x0000000001647000-memory.dmp

Filesize
732KB

Download
memory/4600-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4600-11-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download