b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f

General

Target

b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
Size

1.2MB
MD5

d07a09607469ef8691d34d81376125cc
SHA1

6b5fa836c06af55cdd45d257718f24723f280b1d
SHA256

b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f
SHA512

1791eb8143bbf0060d38590a723d8b96bbddf0292e3840a6febd4e50cc19ab02d96bdd1f8042ffa267ce1cd0c182d7eeac9f3883a632f829000edb0091a01295

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe

description	pid	process	target process
PID 1160 set thread context of 2732	1160	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3320 schtasks.exe

pid	process
3320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exepowershell.exe

pid	process
2732	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
2732	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
4088	powershell.exe
4088	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe

pid process

1160 b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe

pid	process
1160	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2732	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
Token: SeDebugPrivilege	4088	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.execmd.exeb3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe

description	pid	process	target process
PID 1160 wrote to memory of 2720	1160	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe	cmd.exe
PID 1160 wrote to memory of 2720	1160	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe	cmd.exe
PID 1160 wrote to memory of 2720	1160	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe	cmd.exe
PID 1160 wrote to memory of 2732	1160	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
PID 1160 wrote to memory of 2732	1160	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
PID 1160 wrote to memory of 2732	1160	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
PID 1160 wrote to memory of 2732	1160	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
PID 2720 wrote to memory of 3320	2720	cmd.exe	schtasks.exe
PID 2720 wrote to memory of 3320	2720	cmd.exe	schtasks.exe
PID 2720 wrote to memory of 3320	2720	cmd.exe	schtasks.exe
PID 2732 wrote to memory of 4088	2732	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe	powershell.exe
PID 2732 wrote to memory of 4088	2732	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe	powershell.exe
PID 2732 wrote to memory of 4088	2732	b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
"C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3320
- C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
  "C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml

Filesize
1KB

MD5
c673ecc050b1038f727be09aa61cb4b1

SHA1
d2960b6d62810ce8745f6353d6924ae79af01e7e

SHA256
8f2648a15094c455e21cab1ba01133d9d9d17caaab1bb2ee782da160898880e4

SHA512
d6b75c8068c3d9208585413f7a799f69b05e141446d09925f9aae34ac65c0745f37196ec3aeb369e2c8dea6ddfcc55c07fe8f227a06d79dfa408f3d2315c29e6

Download Submit
memory/1160-130-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2720-131-0x0000000000000000-mapping.dmp

Download
memory/2732-132-0x0000000000000000-mapping.dmp

Download
memory/2732-135-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/2732-136-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5.6MB

Download
memory/2732-137-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/3320-133-0x0000000000000000-mapping.dmp

Download
memory/4088-138-0x0000000000000000-mapping.dmp

Download
memory/4088-139-0x00000000047D0000-0x0000000004806000-memory.dmp

Filesize
216KB

Download
memory/4088-140-0x0000000004E40000-0x0000000005468000-memory.dmp

Filesize
6.2MB

Download
memory/4088-141-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/4088-142-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/4088-143-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/4088-144-0x0000000002445000-0x0000000002447000-memory.dmp

Filesize
8KB

Download
memory/4088-145-0x0000000007330000-0x00000000079AA000-memory.dmp

Filesize
6.5MB

Download
memory/4088-146-0x0000000006250000-0x000000000626A000-memory.dmp

Filesize
104KB

Download
memory/4088-147-0x0000000006F50000-0x0000000006FE6000-memory.dmp

Filesize
600KB

Download
memory/4088-148-0x0000000006EE0000-0x0000000006F02000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads