b96c79ff7e741638ee99fc0461688440276bdb9df395d5325915408efd174876

General

Target

20d0f3a8ae795b85fd86cac5ef665e46.exe
Size

15.9MB
MD5

20d0f3a8ae795b85fd86cac5ef665e46
SHA1

cb969dfeee0fac7c84e0de81c1d56641ad068871
SHA256

b96c79ff7e741638ee99fc0461688440276bdb9df395d5325915408efd174876
SHA512

8cdac7f54ea45ac7282056037d90c58580af4351ce4994ab52d805ea4b1fbb6fb236fa5137f31ac39b5f65e9fd4b02442da9dc14be0e365c6002d8b3e1c724a7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

CL_Debug_Log.txt

pid process

3740 CL_Debug_Log.txt

pid	process
3740	CL_Debug_Log.txt

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\32.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\64.exe	autoit_exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3952 schtasks.exe

pid	process
3952	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

CL_Debug_Log.txt

description	pid	process
Token: SeRestorePrivilege	3740	CL_Debug_Log.txt
Token: 35	3740	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3740	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3740	CL_Debug_Log.txt

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

20d0f3a8ae795b85fd86cac5ef665e46.exe

pid process

1844 20d0f3a8ae795b85fd86cac5ef665e46.exe
1844 20d0f3a8ae795b85fd86cac5ef665e46.exe
1844 20d0f3a8ae795b85fd86cac5ef665e46.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

20d0f3a8ae795b85fd86cac5ef665e46.exe

pid process

1844 20d0f3a8ae795b85fd86cac5ef665e46.exe
1844 20d0f3a8ae795b85fd86cac5ef665e46.exe
1844 20d0f3a8ae795b85fd86cac5ef665e46.exe

pid	process
1844	20d0f3a8ae795b85fd86cac5ef665e46.exe
1844	20d0f3a8ae795b85fd86cac5ef665e46.exe
1844	20d0f3a8ae795b85fd86cac5ef665e46.exe

pid	process
1844	20d0f3a8ae795b85fd86cac5ef665e46.exe
1844	20d0f3a8ae795b85fd86cac5ef665e46.exe
1844	20d0f3a8ae795b85fd86cac5ef665e46.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

20d0f3a8ae795b85fd86cac5ef665e46.execmd.exe

description	pid	process	target process
PID 1844 wrote to memory of 3740	1844	20d0f3a8ae795b85fd86cac5ef665e46.exe	CL_Debug_Log.txt
PID 1844 wrote to memory of 3740	1844	20d0f3a8ae795b85fd86cac5ef665e46.exe	CL_Debug_Log.txt
PID 1844 wrote to memory of 3740	1844	20d0f3a8ae795b85fd86cac5ef665e46.exe	CL_Debug_Log.txt
PID 1844 wrote to memory of 3816	1844	20d0f3a8ae795b85fd86cac5ef665e46.exe	cmd.exe
PID 1844 wrote to memory of 3816	1844	20d0f3a8ae795b85fd86cac5ef665e46.exe	cmd.exe
PID 1844 wrote to memory of 3816	1844	20d0f3a8ae795b85fd86cac5ef665e46.exe	cmd.exe
PID 3816 wrote to memory of 3952	3816	cmd.exe	schtasks.exe
PID 3816 wrote to memory of 3952	3816	cmd.exe	schtasks.exe
PID 3816 wrote to memory of 3952	3816	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\20d0f3a8ae795b85fd86cac5ef665e46.exe
"C:\Users\Admin\AppData\Local\Temp\20d0f3a8ae795b85fd86cac5ef665e46.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
2⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
3⤵
- Creates scheduled task(s)
PID:3952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe
MD5
b44a7782a0e4af1f04032eaa5185c4a0

SHA1
c475341fc11a37c21381d6dc37ed22be2d7df6e7

SHA256
30261f5d6a79d12f1cdb23f6e14a141cc06b964514db081dab79a975f9ac602c

SHA512
9689223ba7e2bdfe77a2af20e37696e7837aef8dfebcc8b343843194639e6a2198698c15197e41902b60bc13509f1b240e15c91162bcfb546bfb376dd74a41d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe
MD5
7c05401e99f7250b5232dbb474846f0c

SHA1
df31c9b63d09863a661d3cc4806d81281b5612b6

SHA256
cf3442c8f972ad73fb4eb3caef2f64c9bc6e53876b6f5a8cc9e4559bfe4b18d4

SHA512
ca974080785587a5496408ab7d9e437d0a61572e799e3339bafcbaf68c527712ce06a513d10663f7594d4a8f7aa64f63134581bada0b068d4319292efe06ff01

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
MD5
b6f57992a1d63c4efc9b849375bc0697

SHA1
43403945ce68d8459c296fc15373a33e880aca44

SHA256
a8ee869489a0edc281f316a477fd2f55bd22f270a47c3ae87c894bd7c2f218a2

SHA512
813d853721864e03a2c25773a6ec1e3f2ee38491757d89e98458f7e8ef20db46f04411976a1119775b6c380e82680ad558ca7030862b606a2ae0200f98132781

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
memory/1844-123-0x00000000012D0000-0x0000000001309000-memory.dmp

Filesize
228KB

Download
memory/1844-122-0x00000000012D0000-0x0000000001309000-memory.dmp

Filesize
228KB

Download
memory/1844-124-0x00000000012D0000-0x0000000001309000-memory.dmp

Filesize
228KB

Download
memory/1844-125-0x0000000001310000-0x0000000001333000-memory.dmp

Filesize
140KB

Download
memory/3740-115-0x0000000000000000-mapping.dmp

Download
memory/3816-119-0x0000000000000000-mapping.dmp

Download
memory/3952-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads