10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1

General

Target

10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
Size

1.2MB
MD5

6dcf680a1915d66a2a596a823cfd91e1
SHA1

e4950f369f8f3c3b94bd93f917a116893b1cbee2
SHA256

10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1
SHA512

ca189943e1513b705e61b68f290bdb8d22a56d6024fccdf6b477e2ac979b0d695ca7918742fb90853ae79d70c7c99533409c2873b8a90cd88a1caf3be0a3cd10

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 328	1700	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe	78

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
328	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
328	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
5084	powershell.exe
5084	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1700	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	328	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
Token: SeDebugPrivilege	5084	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 3960	1700	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe	76
PID 1700 wrote to memory of 3960	1700	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe	76
PID 1700 wrote to memory of 3960	1700	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe	76
PID 1700 wrote to memory of 328	1700	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe	78
PID 1700 wrote to memory of 328	1700	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe	78
PID 1700 wrote to memory of 328	1700	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe	78
PID 1700 wrote to memory of 328	1700	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe	78
PID 3960 wrote to memory of 3956	3960	cmd.exe	79
PID 3960 wrote to memory of 3956	3960	cmd.exe	79
PID 3960 wrote to memory of 3956	3960	cmd.exe	79
PID 328 wrote to memory of 5084	328	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe	81
PID 328 wrote to memory of 5084	328	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe	81
PID 328 wrote to memory of 5084	328	10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe	81

C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
"C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3956
- C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
  "C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml

Filesize
1KB

MD5
8a0cf1f6cfc8a5ef47c2c1a90888e5a1

SHA1
0da142e08b0ab9b9df5d1fdf3f3a47aaffd63aa2

SHA256
24a14fb0b915aabe7fceab6c2b1efdd13d30cfb9951b57e8fdba53e4e4fb94bb

SHA512
c2d3f8030a33239c275c53a932d3db8353d50646cb6ede1f2fb105940ac8ddf7a8abd6a110e985c2b01fae72378c141a304e2156ffea621021f6b902e8784118

Download Submit
memory/328-129-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/328-130-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/328-131-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/1700-124-0x0000000000B50000-0x0000000000BEC000-memory.dmp

Filesize
624KB

Download
memory/5084-133-0x0000000002730000-0x0000000002766000-memory.dmp

Filesize
216KB

Download
memory/5084-134-0x0000000005210000-0x0000000005838000-memory.dmp

Filesize
6.2MB

Download
memory/5084-135-0x0000000005070000-0x0000000005092000-memory.dmp

Filesize
136KB

Download
memory/5084-136-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/5084-137-0x0000000006070000-0x000000000608E000-memory.dmp

Filesize
120KB

Download
memory/5084-138-0x00000000027C5000-0x00000000027C7000-memory.dmp

Filesize
8KB

Download
memory/5084-139-0x0000000007690000-0x0000000007D0A000-memory.dmp

Filesize
6.5MB

Download
memory/5084-140-0x0000000006550000-0x000000000656A000-memory.dmp

Filesize
104KB

Download
memory/5084-141-0x00000000072B0000-0x0000000007346000-memory.dmp

Filesize
600KB

Download
memory/5084-142-0x0000000006620000-0x0000000006642000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads