3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542

General

Target

3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe
Size

15.9MB
MD5

63eab98c58513c72bb16222502d07f0b
SHA1

4eb8c5f48509483ff66f06132f04f81ddcb269b0
SHA256

3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542
SHA512

bcf2c16aa856b8fd0f8c94dfbbafa2c061485f4a79440af7e1d9ab0713d56bd631699b16b53382c3410c7f5212bca67b819520d8dae98f612678e65421bd0c93

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

CL_Debug_Log.txt

pid process

3488 CL_Debug_Log.txt

pid	process
3488	CL_Debug_Log.txt

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\32.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\64.exe	autoit_exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4088 schtasks.exe

pid	process
4088	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

CL_Debug_Log.txt

description	pid	process
Token: SeRestorePrivilege	3488	CL_Debug_Log.txt
Token: 35	3488	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3488	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3488	CL_Debug_Log.txt

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe

pid	process
3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe
3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe
3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe

pid	process
3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe
3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe
3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.execmd.exe

description	pid	process	target process
PID 3996 wrote to memory of 3488	3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe	CL_Debug_Log.txt
PID 3996 wrote to memory of 3488	3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe	CL_Debug_Log.txt
PID 3996 wrote to memory of 3488	3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe	CL_Debug_Log.txt
PID 3996 wrote to memory of 3924	3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe	cmd.exe
PID 3996 wrote to memory of 3924	3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe	cmd.exe
PID 3996 wrote to memory of 3924	3996	3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe	cmd.exe
PID 3924 wrote to memory of 4088	3924	cmd.exe	schtasks.exe
PID 3924 wrote to memory of 4088	3924	cmd.exe	schtasks.exe
PID 3924 wrote to memory of 4088	3924	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe
"C:\Users\Admin\AppData\Local\Temp\3e69411d35870c80fb0dd87d83abe81614ecc6da486b4546eecb85697e328542.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
  C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - Creates scheduled task(s)
    PID:4088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe

MD5
dc79ba5d0fd098a6cfc9866680b77378

SHA1
7bb25dd50236720898d479e24443f6a2c066a709

SHA256
c8abb0bf1d529aa444cbf0b459668d933d1e37c8555422121cdf66d753c1df42

SHA512
0b4af909d79919e55b0a38d456230362eb150bacf9929aabd30af5402f5133e8c955b8e6b925ec6458256d1e17a6e98fb2f3550b25a539350c685c64646c81ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

MD5
859bc901c9a8404b7e10ff5bc3841e7d

SHA1
2b89ad3c97064918c0e282d39ab718682e981a19

SHA256
04f8b8462cf98be3c382175a48076d658b800b4c68ee903fb6247b7dd18d190b

SHA512
bfc4cace05db94821571514518b74bdfbb7b54a307a06926d6225cf4536319c19c0d338d590bd2c326bc53812078dd332b227bc3e13dfeff04ca8434f69e49bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

MD5
a2aaedc0bed961b1f60b4c13d6f0cacb

SHA1
75a44f857d3baf7c4181e7498b3df10dc5bd35d6

SHA256
03480bea2e1966f1cd5ede9cc6c2de57897b1dc9ff82db7df17e888952c7d59b

SHA512
f4ce87bb8b7c181005f49eac2688304d41f3ef6b42cc994f7312f8ac0dfa45af2b26691f552d3f08c0558f030920f45fdffa6494fa5cbddbcac72d58c0fdaae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

MD5
1e7c1b1fb3191ffb5801b9eb0243c7be

SHA1
c43ecb6dc6704936cea7db72b77a6b4ca582ac7a

SHA256
6a42feca53ca51dda9ec0100f048a1f7eb7779030798844aa5002afdfba34fa3

SHA512
d5104aa16ee002250aede558860837ead90271bae9000edd6241ddfaca2e467f2ecf7ed7e81c9f62eee7352c6dd11973ecded2a176e49adecc484c83ac4d9886

Download Submit
memory/3488-115-0x0000000000000000-mapping.dmp

Download
memory/3924-119-0x0000000000000000-mapping.dmp

Download
memory/3996-120-0x00000000008E0000-0x0000000000903000-memory.dmp

Filesize
140KB

Download
memory/3996-121-0x00000000008E0000-0x0000000000903000-memory.dmp

Filesize
140KB

Download
memory/3996-122-0x00000000008E0000-0x0000000000903000-memory.dmp

Filesize
140KB

Download
memory/3996-123-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4088-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads