027e6f46a26cd7eec45555e7968d4d2ceda1d810a7005f8c015899b47d3173b9

General

Target

3549dfa98db11f34cf7d96466e0952c4.exe
Size

212KB
MD5

3549dfa98db11f34cf7d96466e0952c4
SHA1

582dd0688d26e512ffaebf94f4bebb315f2bb165
SHA256

027e6f46a26cd7eec45555e7968d4d2ceda1d810a7005f8c015899b47d3173b9
SHA512

925d29909a9534d77c908ad59824501b2fc61d1528d98bf184fbceeddee400c856da5f1902c11806a08544c388e513f96a5dbb505f2bc029666614e572212f4f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Googlechromee.exeGooglechromee.exe

pid process

2024 Googlechromee.exe
944 Googlechromee.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1984 timeout.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1996 schtasks.exe

pid	process
2024	Googlechromee.exe
944	Googlechromee.exe

pid	process
1984	timeout.exe

pid	process
1996	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

3549dfa98db11f34cf7d96466e0952c4.exe3549dfa98db11f34cf7d96466e0952c4.execmd.execmd.exeGooglechromee.exe

description	pid	process	target process
PID 1496 wrote to memory of 1848	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1848	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1848	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1848	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1864	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1864	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1864	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1864	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1864	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1864	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1864	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1864	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1496 wrote to memory of 1864	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 1864 wrote to memory of 1928	1864	3549dfa98db11f34cf7d96466e0952c4.exe	cmd.exe
PID 1864 wrote to memory of 1928	1864	3549dfa98db11f34cf7d96466e0952c4.exe	cmd.exe
PID 1864 wrote to memory of 1928	1864	3549dfa98db11f34cf7d96466e0952c4.exe	cmd.exe
PID 1864 wrote to memory of 1928	1864	3549dfa98db11f34cf7d96466e0952c4.exe	cmd.exe
PID 1864 wrote to memory of 1952	1864	3549dfa98db11f34cf7d96466e0952c4.exe	cmd.exe
PID 1864 wrote to memory of 1952	1864	3549dfa98db11f34cf7d96466e0952c4.exe	cmd.exe
PID 1864 wrote to memory of 1952	1864	3549dfa98db11f34cf7d96466e0952c4.exe	cmd.exe
PID 1864 wrote to memory of 1952	1864	3549dfa98db11f34cf7d96466e0952c4.exe	cmd.exe
PID 1952 wrote to memory of 1984	1952	cmd.exe	timeout.exe
PID 1952 wrote to memory of 1984	1952	cmd.exe	timeout.exe
PID 1952 wrote to memory of 1984	1952	cmd.exe	timeout.exe
PID 1952 wrote to memory of 1984	1952	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1996	1928	cmd.exe	schtasks.exe
PID 1928 wrote to memory of 1996	1928	cmd.exe	schtasks.exe
PID 1928 wrote to memory of 1996	1928	cmd.exe	schtasks.exe
PID 1928 wrote to memory of 1996	1928	cmd.exe	schtasks.exe
PID 1952 wrote to memory of 2024	1952	cmd.exe	Googlechromee.exe
PID 1952 wrote to memory of 2024	1952	cmd.exe	Googlechromee.exe
PID 1952 wrote to memory of 2024	1952	cmd.exe	Googlechromee.exe
PID 1952 wrote to memory of 2024	1952	cmd.exe	Googlechromee.exe
PID 2024 wrote to memory of 944	2024	Googlechromee.exe	Googlechromee.exe
PID 2024 wrote to memory of 944	2024	Googlechromee.exe	Googlechromee.exe
PID 2024 wrote to memory of 944	2024	Googlechromee.exe	Googlechromee.exe
PID 2024 wrote to memory of 944	2024	Googlechromee.exe	Googlechromee.exe
PID 2024 wrote to memory of 944	2024	Googlechromee.exe	Googlechromee.exe
PID 2024 wrote to memory of 944	2024	Googlechromee.exe	Googlechromee.exe
PID 2024 wrote to memory of 944	2024	Googlechromee.exe	Googlechromee.exe
PID 2024 wrote to memory of 944	2024	Googlechromee.exe	Googlechromee.exe
PID 2024 wrote to memory of 944	2024	Googlechromee.exe	Googlechromee.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

3549dfa98db11f34cf7d96466e0952c4.exe3549dfa98db11f34cf7d96466e0952c4.exeGooglechromee.exe

description	pid	process
Token: SeDebugPrivilege	1496	3549dfa98db11f34cf7d96466e0952c4.exe
Token: SeDebugPrivilege	1864	3549dfa98db11f34cf7d96466e0952c4.exe
Token: SeDebugPrivilege	944	Googlechromee.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

3549dfa98db11f34cf7d96466e0952c4.exe3549dfa98db11f34cf7d96466e0952c4.exe

pid process

1496 3549dfa98db11f34cf7d96466e0952c4.exe
1864 3549dfa98db11f34cf7d96466e0952c4.exe
1864 3549dfa98db11f34cf7d96466e0952c4.exe

pid	process
1496	3549dfa98db11f34cf7d96466e0952c4.exe
1864	3549dfa98db11f34cf7d96466e0952c4.exe
1864	3549dfa98db11f34cf7d96466e0952c4.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3549dfa98db11f34cf7d96466e0952c4.exeGooglechromee.exe

description	pid	process	target process
PID 1496 set thread context of 1864	1496	3549dfa98db11f34cf7d96466e0952c4.exe	3549dfa98db11f34cf7d96466e0952c4.exe
PID 2024 set thread context of 944	2024	Googlechromee.exe	Googlechromee.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1952 cmd.exe

pid	process
1952	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3549dfa98db11f34cf7d96466e0952c4.exe
"C:\Users\Admin\AppData\Local\Temp\3549dfa98db11f34cf7d96466e0952c4.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1496

C:\Users\Admin\AppData\Local\Temp\3549dfa98db11f34cf7d96466e0952c4.exe
"C:\Users\Admin\AppData\Local\Temp\3549dfa98db11f34cf7d96466e0952c4.exe"
2⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\3549dfa98db11f34cf7d96466e0952c4.exe
"C:\Users\Admin\AppData\Local\Temp\3549dfa98db11f34cf7d96466e0952c4.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Googlechromee" /tr '"C:\Users\Admin\AppData\Roaming\Googlechromee.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Googlechromee" /tr '"C:\Users\Admin\AppData\Roaming\Googlechromee.exe"'
4⤵
- Creates scheduled task(s)
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC071.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1952

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1984

C:\Users\Admin\AppData\Roaming\Googlechromee.exe
"C:\Users\Admin\AppData\Roaming\Googlechromee.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2024

C:\Users\Admin\AppData\Roaming\Googlechromee.exe
"C:\Users\Admin\AppData\Roaming\Googlechromee.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC071.tmp.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Googlechromee.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Googlechromee.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Googlechromee.exe

Download Submit
\??\PIPE\lsarpc

Download Submit
\Users\Admin\AppData\Roaming\Googlechromee.exe

Download Submit
memory/944-19-0x000000000040C75E-mapping.dmp

Download
memory/944-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1496-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1864-3-0x000000000040C75E-mapping.dmp

Download
memory/1864-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1864-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1864-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1928-6-0x0000000000000000-mapping.dmp

Download
memory/1952-7-0x0000000000000000-mapping.dmp

Download
memory/1984-9-0x0000000000000000-mapping.dmp

Download
memory/1996-10-0x0000000000000000-mapping.dmp

Download
memory/2024-13-0x0000000000000000-mapping.dmp

Download
memory/2024-15-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads