Analysis
-
max time kernel
83s -
max time network
51s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 14:25
Static task
static1
Behavioral task
behavioral1
Sample
ot1ZIWtPLBLdX65.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ot1ZIWtPLBLdX65.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
ot1ZIWtPLBLdX65.exe
-
Size
709KB
-
MD5
e1523c7b16c25f71620c2f5c9d60503d
-
SHA1
3566b5b47538584cf7866c3030084eafbf67bbae
-
SHA256
adfd200a16ffe7c04631176e3ad03ded8785c7ecf9581f42915ea199f8c27e9b
-
SHA512
b7129191a8a91cce22a9e746b3c23f7de1a0f825f74c5408e5d450d0bdee0439d050c93c1e0d3fc1e3e70572819c0d2cfeed8e331cc9bf5a0dc1fc464ee27c80
Score
1/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
ot1ZIWtPLBLdX65.exedescription pid process target process PID 1388 wrote to memory of 1852 1388 ot1ZIWtPLBLdX65.exe schtasks.exe PID 1388 wrote to memory of 1852 1388 ot1ZIWtPLBLdX65.exe schtasks.exe PID 1388 wrote to memory of 1852 1388 ot1ZIWtPLBLdX65.exe schtasks.exe PID 1388 wrote to memory of 1852 1388 ot1ZIWtPLBLdX65.exe schtasks.exe PID 1388 wrote to memory of 1760 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1760 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1760 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1760 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1772 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1772 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1772 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1772 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1764 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1764 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1764 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1764 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 520 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 520 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 520 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 520 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1896 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1896 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1896 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe PID 1388 wrote to memory of 1896 1388 ot1ZIWtPLBLdX65.exe ot1ZIWtPLBLdX65.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ot1ZIWtPLBLdX65.exedescription pid process Token: SeDebugPrivilege 1388 ot1ZIWtPLBLdX65.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
ot1ZIWtPLBLdX65.exepid process 1388 ot1ZIWtPLBLdX65.exe 1388 ot1ZIWtPLBLdX65.exe 1388 ot1ZIWtPLBLdX65.exe 1388 ot1ZIWtPLBLdX65.exe 1388 ot1ZIWtPLBLdX65.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ot1ZIWtPLBLdX65.exe"C:\Users\Admin\AppData\Local\Temp\ot1ZIWtPLBLdX65.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HWyiIgW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9EED.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ot1ZIWtPLBLdX65.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ot1ZIWtPLBLdX65.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ot1ZIWtPLBLdX65.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ot1ZIWtPLBLdX65.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ot1ZIWtPLBLdX65.exe"{path}"2⤵