994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0

General

Target

994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
Size

165KB
MD5

a5f245f600e59fce5acfa9d1606a593c
SHA1

a411636373d73ac2d0213c7e531c54e92a609cc7
SHA256

994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0
SHA512

ca25db599913f9e5e8300f93fb7a542f72ea4d4f8ff4b921c099a8e63019280122f4f685db7cf2e0362e062514618fc480652040a770b735b3e39b3c6beb84d5

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

660 schtasks.exe
3244 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dw20.exe

pid process

1220 dw20.exe
1220 dw20.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dw20.exe

description pid process

Token: SeRestorePrivilege 1220 dw20.exe
Token: SeBackupPrivilege 1220 dw20.exe

pid	process
660	schtasks.exe
3244	schtasks.exe

pid	process
1220	dw20.exe
1220	dw20.exe

description	pid	process
Token: SeRestorePrivilege	1220	dw20.exe
Token: SeBackupPrivilege	1220	dw20.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe

description	pid	process	target process
PID 2492 wrote to memory of 3492	2492	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2492 wrote to memory of 3492	2492	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2492 wrote to memory of 3492	2492	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2492 wrote to memory of 660	2492	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2492 wrote to memory of 660	2492	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2492 wrote to memory of 660	2492	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 2492 wrote to memory of 1220	2492	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	dw20.exe
PID 2492 wrote to memory of 1220	2492	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	dw20.exe
PID 2492 wrote to memory of 1220	2492	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	dw20.exe
PID 1420 wrote to memory of 1548	1420	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1420 wrote to memory of 1548	1420	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1420 wrote to memory of 1548	1420	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1420 wrote to memory of 3244	1420	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1420 wrote to memory of 3244	1420	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe
PID 1420 wrote to memory of 3244	1420	994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
"C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:3492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1548

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\994aadc644d5c91b26b7012e5a72863e57f3580773d8a002ec264c3b436d0db0.bin.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:3244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/660-117-0x0000000000000000-mapping.dmp

Download
memory/1220-118-0x0000000000000000-mapping.dmp

Download
memory/1420-119-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1548-120-0x0000000000000000-mapping.dmp

Download
memory/2492-115-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/3244-121-0x0000000000000000-mapping.dmp

Download
memory/3492-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads