d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf

General

Target

d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
Size

973KB
MD5

916541e6803dd6f2339ddac435cc28bc
SHA1

088b005106dcf95ccb214902f9bd671bc386ae36
SHA256

d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf
SHA512

c59dcae9683b9863c5b805ff9ce81070ef572c2108d4209b6ad64d005359e27f328a0f8e3acc26c4d85435e3f30d8e4e7fd2c6a8de8df380e961a87c2a6e377d

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1312 schtasks.exe

pid	process
1312	schtasks.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe

pid	process
1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
428	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.execmd.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exed8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe

description	pid	process	target process
PID 1964 wrote to memory of 1016	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	cmd.exe
PID 1964 wrote to memory of 1016	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	cmd.exe
PID 1964 wrote to memory of 1016	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	cmd.exe
PID 1964 wrote to memory of 1016	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	cmd.exe
PID 1016 wrote to memory of 1312	1016	cmd.exe	schtasks.exe
PID 1016 wrote to memory of 1312	1016	cmd.exe	schtasks.exe
PID 1016 wrote to memory of 1312	1016	cmd.exe	schtasks.exe
PID 1016 wrote to memory of 1312	1016	cmd.exe	schtasks.exe
PID 1964 wrote to memory of 1984	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1964 wrote to memory of 1984	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1964 wrote to memory of 1984	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1964 wrote to memory of 1984	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1964 wrote to memory of 1984	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1964 wrote to memory of 1376	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1964 wrote to memory of 1376	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1964 wrote to memory of 1376	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1964 wrote to memory of 1376	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1376 wrote to memory of 1108	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1376 wrote to memory of 1108	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1376 wrote to memory of 1108	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1376 wrote to memory of 1108	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1376 wrote to memory of 1108	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1376 wrote to memory of 1996	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1376 wrote to memory of 1996	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1376 wrote to memory of 1996	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1376 wrote to memory of 1996	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1996 wrote to memory of 2008	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1996 wrote to memory of 2008	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1996 wrote to memory of 2008	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1996 wrote to memory of 2008	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1996 wrote to memory of 2008	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1996 wrote to memory of 944	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1996 wrote to memory of 944	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1996 wrote to memory of 944	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1996 wrote to memory of 944	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 944 wrote to memory of 1660	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 944 wrote to memory of 1660	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 944 wrote to memory of 1660	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 944 wrote to memory of 1660	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 944 wrote to memory of 1660	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 944 wrote to memory of 868	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 944 wrote to memory of 868	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 944 wrote to memory of 868	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 944 wrote to memory of 868	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 868 wrote to memory of 676	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 868 wrote to memory of 676	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 868 wrote to memory of 676	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 868 wrote to memory of 676	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 868 wrote to memory of 676	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 868 wrote to memory of 1864	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 868 wrote to memory of 1864	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 868 wrote to memory of 1864	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 868 wrote to memory of 1864	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1864 wrote to memory of 820	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1864 wrote to memory of 820	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1864 wrote to memory of 820	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1864 wrote to memory of 820	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1864 wrote to memory of 820	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 1864 wrote to memory of 428	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1864 wrote to memory of 428	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1864 wrote to memory of 428	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 1864 wrote to memory of 428	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
PID 428 wrote to memory of 680	428	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe
PID 428 wrote to memory of 680	428	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
"C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN hghyh /XML "C:\Users\Admin\AppData\Local\Temp\b118352451ca445c83c32e8ee5d2d5c5.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN hghyh /XML "C:\Users\Admin\AppData\Local\Temp\b118352451ca445c83c32e8ee5d2d5c5.xml"
3⤵
- Creates scheduled task(s)
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
"C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
"C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
"C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
5⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
"C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
"C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
7⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
"C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
8⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
"C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
8⤵
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b118352451ca445c83c32e8ee5d2d5c5.xml

Filesize
1KB

MD5
50c7d96141cdd50386ae866b74565f0f

SHA1
8cbadc1644145bf381f632d52acd1f1c0a5aceb6

SHA256
56333f9ef9b66dbbc99f52ad5a04d7e1c3fad175f97a08628b5f4983b46e864d

SHA512
0a42b3a240effb667ddccd8d2be0df4ff5c184108c10671b1b482b92ab9c2b51d5bf9930ba68fc74c0ab729846a4e83f5c5f6ef41c5fd0ca270e3d57e447aea7

Download Submit
memory/428-76-0x000000000045A000-0x0000000000460000-memory.dmp

Filesize
24KB

Download
memory/428-74-0x0000000000000000-mapping.dmp

Download
memory/868-70-0x00000000003BA000-0x00000000003C0000-memory.dmp

Filesize
24KB

Download
memory/868-68-0x0000000000000000-mapping.dmp

Download
memory/944-65-0x0000000000000000-mapping.dmp

Download
memory/944-67-0x000000000045A000-0x0000000000460000-memory.dmp

Filesize
24KB

Download
memory/1016-56-0x0000000000000000-mapping.dmp

Download
memory/1312-57-0x0000000000000000-mapping.dmp

Download
memory/1376-59-0x0000000000000000-mapping.dmp

Download
memory/1376-61-0x000000000034A000-0x0000000000350000-memory.dmp

Filesize
24KB

Download
memory/1864-71-0x0000000000000000-mapping.dmp

Download
memory/1864-73-0x000000000016A000-0x0000000000170000-memory.dmp

Filesize
24KB

Download
memory/1964-54-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1964-55-0x000000000016A000-0x0000000000170000-memory.dmp

Filesize
24KB

Download
memory/1976-77-0x0000000000000000-mapping.dmp

Download
memory/1976-79-0x000000000030A000-0x0000000000310000-memory.dmp

Filesize
24KB

Download
memory/1996-64-0x000000000030A000-0x0000000000310000-memory.dmp

Filesize
24KB

Download
memory/1996-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads