e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b

General

Target

e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
Size

5.3MB
MD5

099e0502c814215f447660a9fc591361
SHA1

a2917fbe5157fee9e2a70258a96f66aa2498c733
SHA256

e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b
SHA512

e6519b42ff0ed5feafe6bb92d578417468456b849cddce29043835bfa63108f45bd12c35fb5a2f7b2baea3c7bb7c5381c979d6a759232964d64a07edda33fffa

Score

5^/10

Malware Config

Signatures

autoit_exe 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/828-55-0x0000000000C90000-0x0000000001256000-memory.dmp	autoit_exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\PROGRA~2\XPSRAS~1\vp8decoder.dll	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
File opened for modification	C:\PROGRA~2\XPSRAS~1\vp8decoder.dll	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
File created	C:\PROGRA~2\XPSRAS~1\xservice.exe	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
File opened for modification	C:\PROGRA~2\XPSRAS~1\xservice.exe	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
File opened for modification	C:\PROGRA~2\XPSRAS~1\xps.exe	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
File opened for modification	C:\PROGRA~2\XPSRAS~1	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
File created	C:\PROGRA~2\XPSRAS~1\vp8encoder.dll	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
File opened for modification	C:\PROGRA~2\XPSRAS~1\vp8encoder.dll	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
File created	C:\PROGRA~2\XPSRAS~1\settings.dat	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
File opened for modification	C:\PROGRA~2\XPSRAS~1\settings.dat	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1676	schtasks.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
828	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
828	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
828	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 620	828	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe	28
PID 828 wrote to memory of 620	828	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe	28
PID 828 wrote to memory of 620	828	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe	28
PID 828 wrote to memory of 620	828	e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe	28
PID 620 wrote to memory of 1676	620	cmd.exe	30
PID 620 wrote to memory of 1676	620	cmd.exe	30
PID 620 wrote to memory of 1676	620	cmd.exe	30
PID 620 wrote to memory of 1676	620	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
"C:\Users\Admin\AppData\Local\Temp\e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe"
1⤵
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Create /SC ONLOGON /TN "XPS Rasterization Service Component" /TR "C:\PROGRA~2\XPSRAS~1\xservice.exe" /RL HIGHEST
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /SC ONLOGON /TN "XPS Rasterization Service Component" /TR "C:\PROGRA~2\XPSRAS~1\xservice.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/828-55-0x0000000000C90000-0x0000000001256000-memory.dmp

Filesize
5.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads