994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0

General

Target

994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
Size

165KB
MD5

a5f245f600e59fce5acfa9d1606a593c
SHA1

a411636373d73ac2d0213c7e531c54e92a609cc7
SHA256

994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0
SHA512

ca25db599913f9e5e8300f93fb7a542f72ea4d4f8ff4b921c099a8e63019280122f4f685db7cf2e0362e062514618fc480652040a770b735b3e39b3c6beb84d5

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

524 schtasks.exe
960 schtasks.exe
1148 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

1220 dw20.exe

pid	process
524	schtasks.exe
960	schtasks.exe
1148	schtasks.exe

pid	process
1220	dw20.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exetaskeng.exe994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe

description	pid	process	target process
PID 2004 wrote to memory of 1876	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2004 wrote to memory of 1876	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2004 wrote to memory of 1876	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2004 wrote to memory of 1876	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2004 wrote to memory of 524	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2004 wrote to memory of 524	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2004 wrote to memory of 524	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2004 wrote to memory of 524	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2004 wrote to memory of 1220	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	dw20.exe
PID 2004 wrote to memory of 1220	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	dw20.exe
PID 2004 wrote to memory of 1220	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	dw20.exe
PID 2004 wrote to memory of 1220	2004	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	dw20.exe
PID 608 wrote to memory of 1072	608	taskeng.exe	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
PID 608 wrote to memory of 1072	608	taskeng.exe	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
PID 608 wrote to memory of 1072	608	taskeng.exe	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
PID 608 wrote to memory of 1072	608	taskeng.exe	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
PID 1072 wrote to memory of 828	1072	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1072 wrote to memory of 828	1072	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1072 wrote to memory of 828	1072	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1072 wrote to memory of 828	1072	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1072 wrote to memory of 960	1072	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1072 wrote to memory of 960	1072	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1072 wrote to memory of 960	1072	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1072 wrote to memory of 960	1072	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 608 wrote to memory of 1096	608	taskeng.exe	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
PID 608 wrote to memory of 1096	608	taskeng.exe	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
PID 608 wrote to memory of 1096	608	taskeng.exe	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
PID 608 wrote to memory of 1096	608	taskeng.exe	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
PID 1096 wrote to memory of 288	1096	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1096 wrote to memory of 288	1096	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1096 wrote to memory of 288	1096	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1096 wrote to memory of 288	1096	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1096 wrote to memory of 1148	1096	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1096 wrote to memory of 1148	1096	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1096 wrote to memory of 1148	1096	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1096 wrote to memory of 1148	1096	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
"C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1876

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 444
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1220

C:\Windows\system32\taskeng.exe
taskeng.exe {D9F9FA1D-2F7C-4024-B29E-42E1E4423C3F} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:828

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:960

C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:288

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1148

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-68-0x0000000000000000-mapping.dmp

Download
memory/524-57-0x0000000000000000-mapping.dmp

Download
memory/828-63-0x0000000000000000-mapping.dmp

Download
memory/960-64-0x0000000000000000-mapping.dmp

Download
memory/1072-61-0x0000000000000000-mapping.dmp

Download
memory/1072-65-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1096-66-0x0000000000000000-mapping.dmp

Download
memory/1096-70-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/1148-69-0x0000000000000000-mapping.dmp

Download
memory/1220-60-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1220-58-0x0000000000000000-mapping.dmp

Download
memory/1876-56-0x0000000000000000-mapping.dmp

Download
memory/2004-54-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download
memory/2004-55-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads