d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf

Analysis

max time kernel
149s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-05-2022 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
Size

973KB
MD5

916541e6803dd6f2339ddac435cc28bc
SHA1

088b005106dcf95ccb214902f9bd671bc386ae36
SHA256

d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf
SHA512

c59dcae9683b9863c5b805ff9ce81070ef572c2108d4209b6ad64d005359e27f328a0f8e3acc26c4d85435e3f30d8e4e7fd2c6a8de8df380e961a87c2a6e377d

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1312	schtasks.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
428	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1016	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	28
PID 1964 wrote to memory of 1016	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	28
PID 1964 wrote to memory of 1016	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	28
PID 1964 wrote to memory of 1016	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	28
PID 1016 wrote to memory of 1312	1016	cmd.exe	29
PID 1016 wrote to memory of 1312	1016	cmd.exe	29
PID 1016 wrote to memory of 1312	1016	cmd.exe	29
PID 1016 wrote to memory of 1312	1016	cmd.exe	29
PID 1964 wrote to memory of 1984	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	30
PID 1964 wrote to memory of 1984	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	30
PID 1964 wrote to memory of 1984	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	30
PID 1964 wrote to memory of 1984	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	30
PID 1964 wrote to memory of 1984	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	30
PID 1964 wrote to memory of 1376	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	31
PID 1964 wrote to memory of 1376	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	31
PID 1964 wrote to memory of 1376	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	31
PID 1964 wrote to memory of 1376	1964	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	31
PID 1376 wrote to memory of 1108	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	32
PID 1376 wrote to memory of 1108	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	32
PID 1376 wrote to memory of 1108	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	32
PID 1376 wrote to memory of 1108	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	32
PID 1376 wrote to memory of 1108	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	32
PID 1376 wrote to memory of 1996	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	33
PID 1376 wrote to memory of 1996	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	33
PID 1376 wrote to memory of 1996	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	33
PID 1376 wrote to memory of 1996	1376	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	33
PID 1996 wrote to memory of 2008	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	34
PID 1996 wrote to memory of 2008	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	34
PID 1996 wrote to memory of 2008	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	34
PID 1996 wrote to memory of 2008	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	34
PID 1996 wrote to memory of 2008	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	34
PID 1996 wrote to memory of 944	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	35
PID 1996 wrote to memory of 944	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	35
PID 1996 wrote to memory of 944	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	35
PID 1996 wrote to memory of 944	1996	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	35
PID 944 wrote to memory of 1660	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	36
PID 944 wrote to memory of 1660	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	36
PID 944 wrote to memory of 1660	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	36
PID 944 wrote to memory of 1660	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	36
PID 944 wrote to memory of 1660	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	36
PID 944 wrote to memory of 868	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	37
PID 944 wrote to memory of 868	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	37
PID 944 wrote to memory of 868	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	37
PID 944 wrote to memory of 868	944	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	37
PID 868 wrote to memory of 676	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	38
PID 868 wrote to memory of 676	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	38
PID 868 wrote to memory of 676	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	38
PID 868 wrote to memory of 676	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	38
PID 868 wrote to memory of 676	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	38
PID 868 wrote to memory of 1864	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	39
PID 868 wrote to memory of 1864	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	39
PID 868 wrote to memory of 1864	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	39
PID 868 wrote to memory of 1864	868	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	39
PID 1864 wrote to memory of 820	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	40
PID 1864 wrote to memory of 820	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	40
PID 1864 wrote to memory of 820	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	40
PID 1864 wrote to memory of 820	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	40
PID 1864 wrote to memory of 820	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	40
PID 1864 wrote to memory of 428	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	41
PID 1864 wrote to memory of 428	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	41
PID 1864 wrote to memory of 428	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	41
PID 1864 wrote to memory of 428	1864	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	41
PID 428 wrote to memory of 680	428	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	42
PID 428 wrote to memory of 680	428	d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe	42

C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
"C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /Create /TN hghyh /XML "C:\Users\Admin\AppData\Local\Temp\b118352451ca445c83c32e8ee5d2d5c5.xml"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /TN hghyh /XML "C:\Users\Admin\AppData\Local\Temp\b118352451ca445c83c32e8ee5d2d5c5.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
  "C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1108
- - C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
    "C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
      "C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
      4⤵
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:1660
    - - C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
        5⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:676
      - C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
        6⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
        7⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d8bbf2d84a533532848b4895833af517da967466375738988cf5b4c40f7213cf.exe"
        8⤵
        
        PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b118352451ca445c83c32e8ee5d2d5c5.xml

Filesize
1KB

MD5
50c7d96141cdd50386ae866b74565f0f

SHA1
8cbadc1644145bf381f632d52acd1f1c0a5aceb6

SHA256
56333f9ef9b66dbbc99f52ad5a04d7e1c3fad175f97a08628b5f4983b46e864d

SHA512
0a42b3a240effb667ddccd8d2be0df4ff5c184108c10671b1b482b92ab9c2b51d5bf9930ba68fc74c0ab729846a4e83f5c5f6ef41c5fd0ca270e3d57e447aea7

Download Submit
memory/428-76-0x000000000045A000-0x0000000000460000-memory.dmp

Filesize
24KB

Download
memory/868-70-0x00000000003BA000-0x00000000003C0000-memory.dmp

Filesize
24KB

Download
memory/944-67-0x000000000045A000-0x0000000000460000-memory.dmp

Filesize
24KB

Download
memory/1376-61-0x000000000034A000-0x0000000000350000-memory.dmp

Filesize
24KB

Download
memory/1864-73-0x000000000016A000-0x0000000000170000-memory.dmp

Filesize
24KB

Download
memory/1964-54-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1964-55-0x000000000016A000-0x0000000000170000-memory.dmp

Filesize
24KB

Download
memory/1976-79-0x000000000030A000-0x0000000000310000-memory.dmp

Filesize
24KB

Download
memory/1996-64-0x000000000030A000-0x0000000000310000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads