b9e8d2ae255a3b585cd17cbfad39037f0bb9a7691b4977e08d248841017b1b2c

General

Target

b01e71436ccb703fbf02bf0e171f77ac.exe
Size

780KB
MD5

b01e71436ccb703fbf02bf0e171f77ac
SHA1

9acda7d69832cbfc66881302b5ab2691ad342c78
SHA256

b9e8d2ae255a3b585cd17cbfad39037f0bb9a7691b4977e08d248841017b1b2c
SHA512

a69c3969a2a62625604d1bdb1a8fe1e5d69100836d604c32e463b54854d7c60fd6c451246880ac6c84213955bba0bce6123882c16edc3d10ef8b89e5b13f464c

Score

10^/10

suricata

Malware Config

Signatures

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1360	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1360	schtasks.exe

suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata
Executes dropped EXE 1 IoCs

Processes:

schtasks.exe

pid process

1624 schtasks.exe

pid	process
1624	schtasks.exe

Drops file in Program Files directory 7 IoCs

Processes:

b01e71436ccb703fbf02bf0e171f77ac.exeb01e71436ccb703fbf02bf0e171f77ac.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Media Player\System.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Windows Media Player\27d1bcfc3c54e0	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Google\Policies\explorer.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Google\Policies\7a0fd90576e088	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files\Microsoft Office\Office14\System.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files\Microsoft Office\Office14\27d1bcfc3c54e0	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Windows Media Player\System.exe	b01e71436ccb703fbf02bf0e171f77ac.exe

Drops file in Windows directory 1 IoCs

Processes:

b01e71436ccb703fbf02bf0e171f77ac.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_microsoft-windows-c..snapindll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fbcf210605ed336a\WMIADAP.exe	b01e71436ccb703fbf02bf0e171f77ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1256	schtasks.exe
1544	schtasks.exe
1648	schtasks.exe
2016	schtasks.exe
736	schtasks.exe
1984	schtasks.exe
1576	schtasks.exe
372	schtasks.exe
2032	schtasks.exe
1644	schtasks.exe
1712	schtasks.exe
780	schtasks.exe
1964	schtasks.exe
1528	schtasks.exe
1340	schtasks.exe
952	schtasks.exe
972	schtasks.exe
1600	schtasks.exe
1240	schtasks.exe
924	schtasks.exe
1168	schtasks.exe
1976	schtasks.exe
368	schtasks.exe
2032	schtasks.exe
1056	schtasks.exe
836	schtasks.exe
1572	schtasks.exe
1756	schtasks.exe
1044	schtasks.exe
1004	schtasks.exe
1968	schtasks.exe
456	schtasks.exe
2040	schtasks.exe
996	schtasks.exe
1564	schtasks.exe
572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

b01e71436ccb703fbf02bf0e171f77ac.exeb01e71436ccb703fbf02bf0e171f77ac.exeschtasks.exe

pid	process
1884	b01e71436ccb703fbf02bf0e171f77ac.exe
560	b01e71436ccb703fbf02bf0e171f77ac.exe
560	b01e71436ccb703fbf02bf0e171f77ac.exe
560	b01e71436ccb703fbf02bf0e171f77ac.exe
560	b01e71436ccb703fbf02bf0e171f77ac.exe
560	b01e71436ccb703fbf02bf0e171f77ac.exe
560	b01e71436ccb703fbf02bf0e171f77ac.exe
560	b01e71436ccb703fbf02bf0e171f77ac.exe
1624	schtasks.exe
1624	schtasks.exe
1624	schtasks.exe
1624	schtasks.exe
1624	schtasks.exe
1624	schtasks.exe
1624	schtasks.exe
1624	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b01e71436ccb703fbf02bf0e171f77ac.exeb01e71436ccb703fbf02bf0e171f77ac.exeschtasks.exe

description	pid	process
Token: SeDebugPrivilege	1884	b01e71436ccb703fbf02bf0e171f77ac.exe
Token: SeDebugPrivilege	560	b01e71436ccb703fbf02bf0e171f77ac.exe
Token: SeDebugPrivilege	1624	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b01e71436ccb703fbf02bf0e171f77ac.exeb01e71436ccb703fbf02bf0e171f77ac.exe

description	pid	process	target process
PID 1884 wrote to memory of 560	1884	b01e71436ccb703fbf02bf0e171f77ac.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
PID 1884 wrote to memory of 560	1884	b01e71436ccb703fbf02bf0e171f77ac.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
PID 1884 wrote to memory of 560	1884	b01e71436ccb703fbf02bf0e171f77ac.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
PID 560 wrote to memory of 1624	560	b01e71436ccb703fbf02bf0e171f77ac.exe	schtasks.exe
PID 560 wrote to memory of 1624	560	b01e71436ccb703fbf02bf0e171f77ac.exe	schtasks.exe
PID 560 wrote to memory of 1624	560	b01e71436ccb703fbf02bf0e171f77ac.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b01e71436ccb703fbf02bf0e171f77ac.exe
"C:\Users\Admin\AppData\Local\Temp\b01e71436ccb703fbf02bf0e171f77ac.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\b01e71436ccb703fbf02bf0e171f77ac.exe
  "C:\Users\Admin\AppData\Local\Temp\b01e71436ccb703fbf02bf0e171f77ac.exe"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\schtasks.exe
    "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\schtasks.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 6 /tr "'C:\Recovery\619fcb42-bc70-11ec-bd6f-84e31b84a9f2\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\619fcb42-bc70-11ec-bd6f-84e31b84a9f2\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONSTART /tr "'C:\Recovery\619fcb42-bc70-11ec-bd6f-84e31b84a9f2\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc MINUTE /mo 7 /tr "'C:\ProgramData\Microsoft Help\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONSTART /tr "'C:\ProgramData\Microsoft Help\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Contacts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Users\Admin\Contacts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONSTART /tr "'C:\Users\Public\Videos\Sample Videos\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Policies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Program Files (x86)\Google\Policies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\ProgramData\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONSTART /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\schtasks.exe

Filesize
780KB

MD5
b01e71436ccb703fbf02bf0e171f77ac

SHA1
9acda7d69832cbfc66881302b5ab2691ad342c78

SHA256
b9e8d2ae255a3b585cd17cbfad39037f0bb9a7691b4977e08d248841017b1b2c

SHA512
a69c3969a2a62625604d1bdb1a8fe1e5d69100836d604c32e463b54854d7c60fd6c451246880ac6c84213955bba0bce6123882c16edc3d10ef8b89e5b13f464c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\schtasks.exe

Filesize
780KB

MD5
b01e71436ccb703fbf02bf0e171f77ac

SHA1
9acda7d69832cbfc66881302b5ab2691ad342c78

SHA256
b9e8d2ae255a3b585cd17cbfad39037f0bb9a7691b4977e08d248841017b1b2c

SHA512
a69c3969a2a62625604d1bdb1a8fe1e5d69100836d604c32e463b54854d7c60fd6c451246880ac6c84213955bba0bce6123882c16edc3d10ef8b89e5b13f464c

Download Submit
memory/560-56-0x0000000000000000-mapping.dmp

Download
memory/1624-57-0x0000000000000000-mapping.dmp

Download
memory/1624-60-0x00000000001D0000-0x000000000029A000-memory.dmp

Filesize
808KB

Download
memory/1884-54-0x00000000000B0000-0x000000000017A000-memory.dmp

Filesize
808KB

Download
memory/1884-55-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads