Analysis
-
max time kernel
123s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
26-03-2022 03:19
Static task
static1
Behavioral task
behavioral1
Sample
4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe
Resource
win10v2004-en-20220113
General
-
Target
4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe
-
Size
830KB
-
MD5
39fde22be218f8537ec6cb6a3b4cbc89
-
SHA1
a8c4cdfc8dbbf6c1be4e6f7fc010f373827944dc
-
SHA256
4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0
-
SHA512
ef32c5638a7559a63e21c3af24717da68a2e5178ff7faeb3d63d62b7a10f9673f1d0187a6970fabedd4530c1011f7477321d8f09ed9d8fe7fca779030cfa19ce
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4912 set thread context of 1888 4912 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 98 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2004 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1888 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 1888 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 2392 powershell.exe 2392 powershell.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2700 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 3088 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 1268 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 4912 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1888 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe Token: SeDebugPrivilege 2392 powershell.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2700 wrote to memory of 4196 2700 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 80 PID 2700 wrote to memory of 4196 2700 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 80 PID 2700 wrote to memory of 4196 2700 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 80 PID 2700 wrote to memory of 4128 2700 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 81 PID 2700 wrote to memory of 4128 2700 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 81 PID 2700 wrote to memory of 4128 2700 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 81 PID 2700 wrote to memory of 3088 2700 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 82 PID 2700 wrote to memory of 3088 2700 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 82 PID 2700 wrote to memory of 3088 2700 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 82 PID 4196 wrote to memory of 2004 4196 cmd.exe 83 PID 4196 wrote to memory of 2004 4196 cmd.exe 83 PID 4196 wrote to memory of 2004 4196 cmd.exe 83 PID 3088 wrote to memory of 448 3088 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 84 PID 3088 wrote to memory of 448 3088 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 84 PID 3088 wrote to memory of 448 3088 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 84 PID 3088 wrote to memory of 1268 3088 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 85 PID 3088 wrote to memory of 1268 3088 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 85 PID 3088 wrote to memory of 1268 3088 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 85 PID 1268 wrote to memory of 4856 1268 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 91 PID 1268 wrote to memory of 4856 1268 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 91 PID 1268 wrote to memory of 4856 1268 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 91 PID 1268 wrote to memory of 4912 1268 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 92 PID 1268 wrote to memory of 4912 1268 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 92 PID 1268 wrote to memory of 4912 1268 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 92 PID 4912 wrote to memory of 1888 4912 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 98 PID 4912 wrote to memory of 1888 4912 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 98 PID 4912 wrote to memory of 1888 4912 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 98 PID 4912 wrote to memory of 1888 4912 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 98 PID 1888 wrote to memory of 2392 1888 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 99 PID 1888 wrote to memory of 2392 1888 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 99 PID 1888 wrote to memory of 2392 1888 4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"2⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"3⤵
- Creates scheduled task(s)
PID:2004
-
-
-
C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"2⤵PID:4128
-
-
C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"3⤵PID:448
-
-
C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"4⤵PID:4856
-
-
C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\4d62bd74553c0786e9ab9a22f035a3dbc034d63472399e7edb8a945b383099a0.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
-
-
-