d9cc359434fe39670f62e704706898c98e585493dc278cb95d85bd484bae31a2

Analysis

Target

ACVi5thpc2g7rav.exe
Size

823KB
MD5

38c36c621e2d3240a43e2065662d0b44
SHA1

a90cf88c2ac557d01417465a3821443e58efa6f3
SHA256

470ec39d83b15dbacbd1a3ead063329afc46a116e41b200cade7d8ee505adb70
SHA512

9caa88a9fe37b2f3b262b821b603d72ed65f80734399f60a6f94d8153d2439d04fc6b31011359493741ba88c350db63d3f50cfe5948392d7b44d67cff8240e02

Score

1^/10

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3184 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ACVi5thpc2g7rav.exe

pid process

3888 ACVi5thpc2g7rav.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ACVi5thpc2g7rav.exe

description pid process

Token: SeDebugPrivilege 3888 ACVi5thpc2g7rav.exe

pid	process
3184	schtasks.exe

pid	process
3888	ACVi5thpc2g7rav.exe

description	pid	process
Token: SeDebugPrivilege	3888	ACVi5thpc2g7rav.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ACVi5thpc2g7rav.exe

description	pid	process	target process
PID 3888 wrote to memory of 3184	3888	ACVi5thpc2g7rav.exe	schtasks.exe
PID 3888 wrote to memory of 3184	3888	ACVi5thpc2g7rav.exe	schtasks.exe
PID 3888 wrote to memory of 3184	3888	ACVi5thpc2g7rav.exe	schtasks.exe

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nInrwPNXrHrlqB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCE8.tmp"
2⤵
- Creates scheduled task(s)
PID:3184

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\tmpDCE8.tmp
MD5
b623c3ac4ffeeb032558a18a5e876bdd

SHA1
400feb49bbb4a36a865409ae0c35a861db275837

SHA256
b063cc11f1038e9350132f8a3f0288198796f641608ef8690b8d7b50d6ec1087

SHA512
2b9a8132faf802302c043e7207883123c1372409239b96baf6a0c54f40b7a571c0c72b785424e1d904fae47931da134300d1bcad1f6e0ff47257f6770b457b98

Download Submit
memory/3184-12-0x0000000000000000-mapping.dmp

Download
memory/3888-2-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3888-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3888-5-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/3888-6-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3888-7-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/3888-8-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/3888-9-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/3888-10-0x0000000005740000-0x000000000574E000-memory.dmp

Filesize
56KB

Download
memory/3888-11-0x0000000006BB0000-0x0000000006C8E000-memory.dmp

Filesize
888KB

Download
memory/3888-14-0x0000000006DA0000-0x0000000006E01000-memory.dmp

Filesize
388KB

Download