Analysis

  • max time kernel
    132s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    26-03-2022 11:32

General

  • Target

    575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe

  • Size

    830KB

  • MD5

    939f26c3678098a40fcea9a4302a70d9

  • SHA1

    e2a8bebb901dbda91d672302d177510e813645de

  • SHA256

    575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2

  • SHA512

    995365a65c753ec603e47950a040fa41baefc0dd1aafe3b34bb0dfcb01687d6d66ad2aa3b1958d6fa65063ba2e7cd868cea4869351297ac8532629e8d0c5eee1

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
    "C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"
        3⤵
        • Creates scheduled task(s)
        PID:2400
    • C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
      "C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2920

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml

    Filesize

    1KB

    MD5

    c673ecc050b1038f727be09aa61cb4b1

    SHA1

    d2960b6d62810ce8745f6353d6924ae79af01e7e

    SHA256

    8f2648a15094c455e21cab1ba01133d9d9d17caaab1bb2ee782da160898880e4

    SHA512

    d6b75c8068c3d9208585413f7a799f69b05e141446d09925f9aae34ac65c0745f37196ec3aeb369e2c8dea6ddfcc55c07fe8f227a06d79dfa408f3d2315c29e6

  • memory/2172-134-0x0000000005680000-0x0000000005712000-memory.dmp

    Filesize

    584KB

  • memory/2172-135-0x0000000005F20000-0x00000000064C4000-memory.dmp

    Filesize

    5.6MB

  • memory/2172-136-0x0000000005A50000-0x0000000005AB6000-memory.dmp

    Filesize

    408KB

  • memory/2920-138-0x00000000028E0000-0x0000000002916000-memory.dmp

    Filesize

    216KB

  • memory/2920-139-0x0000000005320000-0x0000000005948000-memory.dmp

    Filesize

    6.2MB

  • memory/2920-140-0x0000000005980000-0x00000000059A2000-memory.dmp

    Filesize

    136KB

  • memory/2920-141-0x0000000005B20000-0x0000000005B86000-memory.dmp

    Filesize

    408KB

  • memory/2920-142-0x0000000006210000-0x000000000622E000-memory.dmp

    Filesize

    120KB

  • memory/2920-143-0x0000000002945000-0x0000000002947000-memory.dmp

    Filesize

    8KB

  • memory/2920-144-0x0000000007A00000-0x000000000807A000-memory.dmp

    Filesize

    6.5MB

  • memory/2920-145-0x0000000006600000-0x000000000661A000-memory.dmp

    Filesize

    104KB

  • memory/2920-146-0x0000000007420000-0x00000000074B6000-memory.dmp

    Filesize

    600KB

  • memory/2920-147-0x00000000073B0000-0x00000000073D2000-memory.dmp

    Filesize

    136KB