98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511

General

Target

98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
Size

830KB
MD5

9d547cdfaa4bdfc8329ce71b1980e36c
SHA1

ffb5585af1c1f5ee36417116b8ed010e1383d906
SHA256

98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511
SHA512

56574e089ab9df6c068812866fac7983bbd0fe1dcd75e1da9e2d4f240393a6eb3b1db43b4a59daf5c82461e97e78df68d6a1ec18ea4449effd38ee33e0f3a40d

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe

description	pid	process	target process
PID 3600 set thread context of 1980	3600	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2040 schtasks.exe

pid	process
2040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exepowershell.exe

pid	process
1980	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
1980	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
4700	powershell.exe
4700	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe

pid process

3600 98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe

pid	process
3600	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1980	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
Token: SeDebugPrivilege	4700	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.execmd.exe98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe

description	pid	process	target process
PID 3600 wrote to memory of 1704	3600	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe	cmd.exe
PID 3600 wrote to memory of 1704	3600	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe	cmd.exe
PID 3600 wrote to memory of 1704	3600	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe	cmd.exe
PID 3600 wrote to memory of 1980	3600	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
PID 3600 wrote to memory of 1980	3600	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
PID 3600 wrote to memory of 1980	3600	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
PID 3600 wrote to memory of 1980	3600	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
PID 1704 wrote to memory of 2040	1704	cmd.exe	schtasks.exe
PID 1704 wrote to memory of 2040	1704	cmd.exe	schtasks.exe
PID 1704 wrote to memory of 2040	1704	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 4700	1980	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe	powershell.exe
PID 1980 wrote to memory of 4700	1980	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe	powershell.exe
PID 1980 wrote to memory of 4700	1980	98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
"C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2040
- C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
  "C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml

MD5
c673ecc050b1038f727be09aa61cb4b1

SHA1
d2960b6d62810ce8745f6353d6924ae79af01e7e

SHA256
8f2648a15094c455e21cab1ba01133d9d9d17caaab1bb2ee782da160898880e4

SHA512
d6b75c8068c3d9208585413f7a799f69b05e141446d09925f9aae34ac65c0745f37196ec3aeb369e2c8dea6ddfcc55c07fe8f227a06d79dfa408f3d2315c29e6

Download Submit
memory/1704-130-0x0000000000000000-mapping.dmp

Download
memory/1980-131-0x0000000000000000-mapping.dmp

Download
memory/1980-134-0x0000000005B30000-0x0000000005BC2000-memory.dmp

Filesize
584KB

Download
memory/1980-135-0x00000000063E0000-0x0000000006984000-memory.dmp

Filesize
5.6MB

Download
memory/1980-136-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/2040-132-0x0000000000000000-mapping.dmp

Download
memory/4700-138-0x0000000002C20000-0x0000000002C56000-memory.dmp

Filesize
216KB

Download
memory/4700-137-0x0000000000000000-mapping.dmp

Download
memory/4700-139-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/4700-140-0x0000000005CD0000-0x0000000005CF2000-memory.dmp

Filesize
136KB

Download
memory/4700-141-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/4700-142-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/4700-143-0x0000000002C95000-0x0000000002C97000-memory.dmp

Filesize
8KB

Download
memory/4700-144-0x0000000007BC0000-0x000000000823A000-memory.dmp

Filesize
6.5MB

Download
memory/4700-145-0x0000000006A50000-0x0000000006A6A000-memory.dmp

Filesize
104KB

Download
memory/4700-147-0x0000000006B20000-0x0000000006B42000-memory.dmp

Filesize
136KB

Download
memory/4700-146-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads