bfc3d6d12ca4a76297cf920edbdfe491c6be14e42e6b9c0722ff5efb5bfb6377

General

Target

WZO6r48DeDddU0L.exe
Size

1.7MB
MD5

0fb1a68359130ed63dfd862d0b9ecfd9
SHA1

2976a4560350ee15213b4d19f6fa8b7304cbacae
SHA256

bfc3d6d12ca4a76297cf920edbdfe491c6be14e42e6b9c0722ff5efb5bfb6377
SHA512

65e0b19dfc28d4512e0ff6a5e0299317fbfd75832a043d0f8d472c43d929fb37de6784f600bd75ccdb9824f6142393d46dedb5f64e41a79a8fd667bc45e7656f

Score

1^/10

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
1396	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1396	1340	WZO6r48DeDddU0L.exe	26
PID 1340 wrote to memory of 1396	1340	WZO6r48DeDddU0L.exe	26
PID 1340 wrote to memory of 1396	1340	WZO6r48DeDddU0L.exe	26
PID 1340 wrote to memory of 1396	1340	WZO6r48DeDddU0L.exe	26
PID 1340 wrote to memory of 1792	1340	WZO6r48DeDddU0L.exe	28
PID 1340 wrote to memory of 1792	1340	WZO6r48DeDddU0L.exe	28
PID 1340 wrote to memory of 1792	1340	WZO6r48DeDddU0L.exe	28
PID 1340 wrote to memory of 1792	1340	WZO6r48DeDddU0L.exe	28
PID 1340 wrote to memory of 1776	1340	WZO6r48DeDddU0L.exe	29
PID 1340 wrote to memory of 1776	1340	WZO6r48DeDddU0L.exe	29
PID 1340 wrote to memory of 1776	1340	WZO6r48DeDddU0L.exe	29
PID 1340 wrote to memory of 1776	1340	WZO6r48DeDddU0L.exe	29
PID 1340 wrote to memory of 1756	1340	WZO6r48DeDddU0L.exe	30
PID 1340 wrote to memory of 1756	1340	WZO6r48DeDddU0L.exe	30
PID 1340 wrote to memory of 1756	1340	WZO6r48DeDddU0L.exe	30
PID 1340 wrote to memory of 1756	1340	WZO6r48DeDddU0L.exe	30
PID 1340 wrote to memory of 1668	1340	WZO6r48DeDddU0L.exe	31
PID 1340 wrote to memory of 1668	1340	WZO6r48DeDddU0L.exe	31
PID 1340 wrote to memory of 1668	1340	WZO6r48DeDddU0L.exe	31
PID 1340 wrote to memory of 1668	1340	WZO6r48DeDddU0L.exe	31
PID 1340 wrote to memory of 1888	1340	WZO6r48DeDddU0L.exe	32
PID 1340 wrote to memory of 1888	1340	WZO6r48DeDddU0L.exe	32
PID 1340 wrote to memory of 1888	1340	WZO6r48DeDddU0L.exe	32
PID 1340 wrote to memory of 1888	1340	WZO6r48DeDddU0L.exe	32

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	WZO6r48DeDddU0L.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

C:\Users\Admin\AppData\Local\Temp\WZO6r48DeDddU0L.exe
"C:\Users\Admin\AppData\Local\Temp\WZO6r48DeDddU0L.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1340
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uycofDTWbxNb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A3F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1396
- C:\Users\Admin\AppData\Local\Temp\WZO6r48DeDddU0L.exe
  "{path}"
  2⤵
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\WZO6r48DeDddU0L.exe
  "{path}"
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\WZO6r48DeDddU0L.exe
  "{path}"
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\WZO6r48DeDddU0L.exe
  "{path}"
  2⤵
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\WZO6r48DeDddU0L.exe
  "{path}"
  2⤵
  PID:1888