fbd01daf6f9541d648c04572779da9203855c18fe20fb333f7b5ed18206abc22

General

Target

ca9b1397310d3cbe5af8773585cbfd29.exe
Size

215KB
MD5

ca9b1397310d3cbe5af8773585cbfd29
SHA1

e4c75367993918616d558dcf5ddab4f544dd49c9
SHA256

fbd01daf6f9541d648c04572779da9203855c18fe20fb333f7b5ed18206abc22
SHA512

d5181670089668e8b03d7eda6aa2e5d38e19b7150eb41b441153f22e4d5718795a781f7fcb2ece9bfefa32eaff43f1b478c792acd87bd461506b7353b61e4c8a

Score

8^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ca9b1397310d3cbe5af8773585cbfd29.exe

pid process

1364 ca9b1397310d3cbe5af8773585cbfd29.exe
1364 ca9b1397310d3cbe5af8773585cbfd29.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

760 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Googlechromee.exeGooglechromee.exe

pid process

828 Googlechromee.exe
1556 Googlechromee.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1016 timeout.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

700 schtasks.exe

pid	process
1364	ca9b1397310d3cbe5af8773585cbfd29.exe
1364	ca9b1397310d3cbe5af8773585cbfd29.exe

pid	process
760	cmd.exe

pid	process
828	Googlechromee.exe
1556	Googlechromee.exe

pid	process
1016	timeout.exe

pid	process
700	schtasks.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

ca9b1397310d3cbe5af8773585cbfd29.execa9b1397310d3cbe5af8773585cbfd29.execmd.execmd.exeGooglechromee.exe

description	pid	process	target process
PID 1056 wrote to memory of 1364	1056	ca9b1397310d3cbe5af8773585cbfd29.exe	ca9b1397310d3cbe5af8773585cbfd29.exe
PID 1056 wrote to memory of 1364	1056	ca9b1397310d3cbe5af8773585cbfd29.exe	ca9b1397310d3cbe5af8773585cbfd29.exe
PID 1056 wrote to memory of 1364	1056	ca9b1397310d3cbe5af8773585cbfd29.exe	ca9b1397310d3cbe5af8773585cbfd29.exe
PID 1056 wrote to memory of 1364	1056	ca9b1397310d3cbe5af8773585cbfd29.exe	ca9b1397310d3cbe5af8773585cbfd29.exe
PID 1056 wrote to memory of 1364	1056	ca9b1397310d3cbe5af8773585cbfd29.exe	ca9b1397310d3cbe5af8773585cbfd29.exe
PID 1056 wrote to memory of 1364	1056	ca9b1397310d3cbe5af8773585cbfd29.exe	ca9b1397310d3cbe5af8773585cbfd29.exe
PID 1056 wrote to memory of 1364	1056	ca9b1397310d3cbe5af8773585cbfd29.exe	ca9b1397310d3cbe5af8773585cbfd29.exe
PID 1056 wrote to memory of 1364	1056	ca9b1397310d3cbe5af8773585cbfd29.exe	ca9b1397310d3cbe5af8773585cbfd29.exe
PID 1056 wrote to memory of 1364	1056	ca9b1397310d3cbe5af8773585cbfd29.exe	ca9b1397310d3cbe5af8773585cbfd29.exe
PID 1364 wrote to memory of 1796	1364	ca9b1397310d3cbe5af8773585cbfd29.exe	cmd.exe
PID 1364 wrote to memory of 1796	1364	ca9b1397310d3cbe5af8773585cbfd29.exe	cmd.exe
PID 1364 wrote to memory of 1796	1364	ca9b1397310d3cbe5af8773585cbfd29.exe	cmd.exe
PID 1364 wrote to memory of 1796	1364	ca9b1397310d3cbe5af8773585cbfd29.exe	cmd.exe
PID 1364 wrote to memory of 760	1364	ca9b1397310d3cbe5af8773585cbfd29.exe	cmd.exe
PID 1364 wrote to memory of 760	1364	ca9b1397310d3cbe5af8773585cbfd29.exe	cmd.exe
PID 1364 wrote to memory of 760	1364	ca9b1397310d3cbe5af8773585cbfd29.exe	cmd.exe
PID 1364 wrote to memory of 760	1364	ca9b1397310d3cbe5af8773585cbfd29.exe	cmd.exe
PID 1796 wrote to memory of 700	1796	cmd.exe	schtasks.exe
PID 1796 wrote to memory of 700	1796	cmd.exe	schtasks.exe
PID 1796 wrote to memory of 700	1796	cmd.exe	schtasks.exe
PID 1796 wrote to memory of 700	1796	cmd.exe	schtasks.exe
PID 760 wrote to memory of 1016	760	cmd.exe	timeout.exe
PID 760 wrote to memory of 1016	760	cmd.exe	timeout.exe
PID 760 wrote to memory of 1016	760	cmd.exe	timeout.exe
PID 760 wrote to memory of 1016	760	cmd.exe	timeout.exe
PID 760 wrote to memory of 828	760	cmd.exe	Googlechromee.exe
PID 760 wrote to memory of 828	760	cmd.exe	Googlechromee.exe
PID 760 wrote to memory of 828	760	cmd.exe	Googlechromee.exe
PID 760 wrote to memory of 828	760	cmd.exe	Googlechromee.exe
PID 828 wrote to memory of 1556	828	Googlechromee.exe	Googlechromee.exe
PID 828 wrote to memory of 1556	828	Googlechromee.exe	Googlechromee.exe
PID 828 wrote to memory of 1556	828	Googlechromee.exe	Googlechromee.exe
PID 828 wrote to memory of 1556	828	Googlechromee.exe	Googlechromee.exe
PID 828 wrote to memory of 1556	828	Googlechromee.exe	Googlechromee.exe
PID 828 wrote to memory of 1556	828	Googlechromee.exe	Googlechromee.exe
PID 828 wrote to memory of 1556	828	Googlechromee.exe	Googlechromee.exe
PID 828 wrote to memory of 1556	828	Googlechromee.exe	Googlechromee.exe
PID 828 wrote to memory of 1556	828	Googlechromee.exe	Googlechromee.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ca9b1397310d3cbe5af8773585cbfd29.exeGooglechromee.exe

description	pid	process	target process
PID 1056 set thread context of 1364	1056	ca9b1397310d3cbe5af8773585cbfd29.exe	ca9b1397310d3cbe5af8773585cbfd29.exe
PID 828 set thread context of 1556	828	Googlechromee.exe	Googlechromee.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ca9b1397310d3cbe5af8773585cbfd29.exeGooglechromee.exe

description pid process

Token: SeDebugPrivilege 1364 ca9b1397310d3cbe5af8773585cbfd29.exe
Token: SeDebugPrivilege 1556 Googlechromee.exe

description	pid	process
Token: SeDebugPrivilege	1364	ca9b1397310d3cbe5af8773585cbfd29.exe
Token: SeDebugPrivilege	1556	Googlechromee.exe

C:\Users\Admin\AppData\Local\Temp\ca9b1397310d3cbe5af8773585cbfd29.exe
"C:\Users\Admin\AppData\Local\Temp\ca9b1397310d3cbe5af8773585cbfd29.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1056

C:\Users\Admin\AppData\Local\Temp\ca9b1397310d3cbe5af8773585cbfd29.exe
"C:\Users\Admin\AppData\Local\Temp\ca9b1397310d3cbe5af8773585cbfd29.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Googlechromee" /tr '"C:\Users\Admin\AppData\Roaming\Googlechromee.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Googlechromee" /tr '"C:\Users\Admin\AppData\Roaming\Googlechromee.exe"'
4⤵
- Creates scheduled task(s)
PID:700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8361.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1016

C:\Users\Admin\AppData\Roaming\Googlechromee.exe
"C:\Users\Admin\AppData\Roaming\Googlechromee.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:828

C:\Users\Admin\AppData\Roaming\Googlechromee.exe
"C:\Users\Admin\AppData\Roaming\Googlechromee.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8361.tmp.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Googlechromee.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Googlechromee.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Googlechromee.exe

Download Submit
\Users\Admin\AppData\Roaming\Googlechromee.exe

Download Submit
memory/700-9-0x0000000000000000-mapping.dmp

Download
memory/760-7-0x0000000000000000-mapping.dmp

Download
memory/828-13-0x0000000000000000-mapping.dmp

Download
memory/828-14-0x0000000000000000-mapping.dmp

Download
memory/1016-10-0x0000000000000000-mapping.dmp

Download
memory/1056-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1364-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1364-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1364-3-0x000000000040C75E-mapping.dmp

Download
memory/1364-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1556-19-0x000000000040C75E-mapping.dmp

Download
memory/1556-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1556-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1796-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads