Analysis
-
max time kernel
136s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
26-03-2022 02:47
Static task
static1
Behavioral task
behavioral1
Sample
827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
Resource
win10v2004-en-20220113
General
-
Target
827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
-
Size
821KB
-
MD5
9b5980d4c58ba4d01a977e2b971f132d
-
SHA1
35b68f76bfcd55b845092448e5e02d246e8f1376
-
SHA256
827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba
-
SHA512
6dc5a02865a563035a07bfb178db224a0c60aeb144da6f3c230f097114c91b67b3ba5ac5f4a9ba7a5672f5ef59c37f3c5c737160c5c058310e68feb2cf8d93a2
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2924 set thread context of 1420 2924 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 80 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1420 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 1420 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 2692 powershell.exe 2692 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2924 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1420 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Token: SeDebugPrivilege 2692 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2924 wrote to memory of 1340 2924 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 79 PID 2924 wrote to memory of 1340 2924 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 79 PID 2924 wrote to memory of 1340 2924 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 79 PID 2924 wrote to memory of 1420 2924 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 80 PID 2924 wrote to memory of 1420 2924 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 80 PID 2924 wrote to memory of 1420 2924 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 80 PID 2924 wrote to memory of 1420 2924 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 80 PID 1340 wrote to memory of 1660 1340 cmd.exe 81 PID 1340 wrote to memory of 1660 1340 cmd.exe 81 PID 1340 wrote to memory of 1660 1340 cmd.exe 81 PID 1420 wrote to memory of 2692 1420 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 83 PID 1420 wrote to memory of 2692 1420 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 83 PID 1420 wrote to memory of 2692 1420 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml"2⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml"3⤵
- Creates scheduled task(s)
PID:1660
-
-
-
C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-