c55d612d19305f4d4cc486f3129d64fd25bfcb58725b18bfb4c8a9e002c0b651

General

Target

ir_exe.exe
Size

657KB
MD5

de43b3e46361b3522be35d19af67db4d
SHA1

6009ec1f95be87abf4b379aaa089095c1a148886
SHA256

c55d612d19305f4d4cc486f3129d64fd25bfcb58725b18bfb4c8a9e002c0b651
SHA512

dbcd668d1dd5859bf1abdab9f3d9bb4094f99c66f656c76dadd5906e2b53be3be54087b6b54a91aa9bfad1f003d5196c922cf482dd0824ed69c3b96418ea56cd

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1672 schtasks.exe

pid	process
1672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

ir_exe.exe

pid	process
1992	ir_exe.exe
1992	ir_exe.exe
1992	ir_exe.exe
1992	ir_exe.exe
1992	ir_exe.exe
1992	ir_exe.exe
1992	ir_exe.exe
1992	ir_exe.exe
1992	ir_exe.exe
1992	ir_exe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ir_exe.exe

description pid process

Token: SeDebugPrivilege 1992 ir_exe.exe

description	pid	process
Token: SeDebugPrivilege	1992	ir_exe.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ir_exe.exe

description	pid	process	target process
PID 1992 wrote to memory of 1672	1992	ir_exe.exe	schtasks.exe
PID 1992 wrote to memory of 1672	1992	ir_exe.exe	schtasks.exe
PID 1992 wrote to memory of 1672	1992	ir_exe.exe	schtasks.exe
PID 1992 wrote to memory of 1672	1992	ir_exe.exe	schtasks.exe
PID 1992 wrote to memory of 316	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 316	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 316	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 316	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 808	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 808	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 808	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 808	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 972	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 972	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 972	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 972	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 700	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 700	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 700	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 700	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 1512	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 1512	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 1512	1992	ir_exe.exe	ir_exe.exe
PID 1992 wrote to memory of 1512	1992	ir_exe.exe	ir_exe.exe

C:\Users\Admin\AppData\Local\Temp\ir_exe.exe
"C:\Users\Admin\AppData\Local\Temp\ir_exe.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QEZTeXwcCq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1371.tmp"
2⤵
- Creates scheduled task(s)
PID:1672

C:\Users\Admin\AppData\Local\Temp\ir_exe.exe
"C:\Users\Admin\AppData\Local\Temp\ir_exe.exe"
2⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\ir_exe.exe
"C:\Users\Admin\AppData\Local\Temp\ir_exe.exe"
2⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\ir_exe.exe
"C:\Users\Admin\AppData\Local\Temp\ir_exe.exe"
2⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\ir_exe.exe
"C:\Users\Admin\AppData\Local\Temp\ir_exe.exe"
2⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\ir_exe.exe
"C:\Users\Admin\AppData\Local\Temp\ir_exe.exe"
2⤵
PID:1512

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1371.tmp
MD5
898e0a461275550bcdc2574f1aba7228

SHA1
1b08c46dc6faaee751928221d1bd1e0ea4f76fcf

SHA256
8c8906635775c5dd17519d51d929c26594ff92989fde28119884513ed2adbd26

SHA512
f93bce2d7a9fb9de5c3c5f6b8fbdf86a2b2fd7a84cc59e99719ce9ef3f83a29d1f108a79250eb0ccd8483f66d7d430dd62d80c6727684394d71460d06ecdd71a

Download Submit
memory/1672-7-0x0000000000000000-mapping.dmp

Download
memory/1992-2-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-3-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1992-5-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1992-6-0x0000000002210000-0x000000000226E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads