Analysis
-
max time kernel
125s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
26-03-2022 05:47
Static task
static1
Behavioral task
behavioral1
Sample
9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
Resource
win10v2004-en-20220113
General
-
Target
9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
-
Size
1.2MB
-
MD5
f59e76fec35f01ad7f96b7f745eb1876
-
SHA1
7bf2cacf634758d1106d75719577064e6546d7b7
-
SHA256
9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3
-
SHA512
409fd7d9a5a6b87be9b14f38c391057d918fd8f79cfe2ed9ed0238d9cdc39c8fca2b6b3868835bc0c914c2e43692b79da13af3bdf27748dfbbc4c2132d7c4573
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4184 set thread context of 4564 4184 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 85 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4564 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 4564 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 952 powershell.exe 952 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1344 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 4184 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4564 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Token: SeDebugPrivilege 952 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1344 wrote to memory of 5112 1344 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 80 PID 1344 wrote to memory of 5112 1344 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 80 PID 1344 wrote to memory of 5112 1344 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 80 PID 1344 wrote to memory of 4156 1344 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 82 PID 1344 wrote to memory of 4156 1344 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 82 PID 1344 wrote to memory of 4156 1344 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 82 PID 1344 wrote to memory of 4184 1344 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 83 PID 1344 wrote to memory of 4184 1344 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 83 PID 1344 wrote to memory of 4184 1344 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 83 PID 5112 wrote to memory of 4020 5112 cmd.exe 84 PID 5112 wrote to memory of 4020 5112 cmd.exe 84 PID 5112 wrote to memory of 4020 5112 cmd.exe 84 PID 4184 wrote to memory of 4564 4184 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 85 PID 4184 wrote to memory of 4564 4184 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 85 PID 4184 wrote to memory of 4564 4184 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 85 PID 4184 wrote to memory of 4564 4184 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 85 PID 4564 wrote to memory of 952 4564 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 91 PID 4564 wrote to memory of 952 4564 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 91 PID 4564 wrote to memory of 952 4564 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"3⤵
- Creates scheduled task(s)
PID:4020
-
-
-
C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"2⤵PID:4156
-
-
C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
-