5fc84f25b331a01c87e4f7652a396a83403c0efc27cefeec6cea69b954a01040

General

Target

Order list 20.1.2021 07u9Uxttb5ltGU.exe
Size

1.7MB
MD5

8935c408c5650172e350acb92e7cc659
SHA1

69fbb8236dc958388bdaf65b986894365d6dae6b
SHA256

5fc84f25b331a01c87e4f7652a396a83403c0efc27cefeec6cea69b954a01040
SHA512

55312234692bbd6e2b60128350a32e02d2d8affbaa154280b5f080044039f14660114483baaf81baa940122aa4b04a7a247ca5df02ef7ca993d287b8c6dfdd5e

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

916 schtasks.exe

pid	process
916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Order list 20.1.2021 07u9Uxttb5ltGU.exe

pid	process
644	Order list 20.1.2021 07u9Uxttb5ltGU.exe
644	Order list 20.1.2021 07u9Uxttb5ltGU.exe
644	Order list 20.1.2021 07u9Uxttb5ltGU.exe
644	Order list 20.1.2021 07u9Uxttb5ltGU.exe
644	Order list 20.1.2021 07u9Uxttb5ltGU.exe
644	Order list 20.1.2021 07u9Uxttb5ltGU.exe
644	Order list 20.1.2021 07u9Uxttb5ltGU.exe
644	Order list 20.1.2021 07u9Uxttb5ltGU.exe
644	Order list 20.1.2021 07u9Uxttb5ltGU.exe
644	Order list 20.1.2021 07u9Uxttb5ltGU.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Order list 20.1.2021 07u9Uxttb5ltGU.exe

description pid process

Token: SeDebugPrivilege 644 Order list 20.1.2021 07u9Uxttb5ltGU.exe

description	pid	process
Token: SeDebugPrivilege	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Order list 20.1.2021 07u9Uxttb5ltGU.exe

C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe
"C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gIZSEI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp191C.tmp"
2⤵
- Creates scheduled task(s)
PID:916

C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe
"C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe"
2⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe
"C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe"
2⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe
"C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe"
2⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe
"C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe"
2⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe
"C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe"
2⤵
PID:844

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp191C.tmp
MD5
91c932d46e1537134a3b45b5ec376360

SHA1
5c885ea85c4414a2ab4f2ec8bf1070ff8b7d6281

SHA256
1ef2c5b011314dfd78f380bbd9f66ef1a59af89386bca179a9688b8133efe8db

SHA512
69f67fcb16932981f2cd6faf2527be2a01eb3e35daf8bbfaba4a19780598edfdeee7ae5a5e12b8135c21460366e64a078b51c4d23158925c0b21581250653acd

Download Submit
memory/644-2-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/644-3-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/644-5-0x00000000005B0000-0x00000000005D3000-memory.dmp

Filesize
140KB

Download
memory/644-6-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/644-7-0x0000000007920000-0x000000000798B000-memory.dmp

Filesize
428KB

Download
memory/916-8-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 644 wrote to memory of 916	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	schtasks.exe
PID 644 wrote to memory of 916	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	schtasks.exe
PID 644 wrote to memory of 916	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	schtasks.exe
PID 644 wrote to memory of 916	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	schtasks.exe
PID 644 wrote to memory of 1008	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 1008	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 1008	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 1008	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 552	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 552	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 552	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 552	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 976	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 976	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 976	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 976	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 800	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 800	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 800	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 800	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 844	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 844	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 844	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe
PID 644 wrote to memory of 844	644	Order list 20.1.2021 07u9Uxttb5ltGU.exe	Order list 20.1.2021 07u9Uxttb5ltGU.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads