Analysis
-
max time kernel
164s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 22:07
Static task
static1
Behavioral task
behavioral1
Sample
11-10-2020 NEW SPECIF #3309 MCHN.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
11-10-2020 NEW SPECIF #3309 MCHN.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
11_07_2020 PO_INVOICE #3309247.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
11_07_2020 PO_INVOICE #3309247.exe
Resource
win10v2004-20220414-en
General
-
Target
11-10-2020 NEW SPECIF #3309 MCHN.exe
-
Size
203KB
-
MD5
b0e73dcfba506ab521b23383e49e778c
-
SHA1
640326b8b6fc9f0b5504e1e2e2ae961af819b9cc
-
SHA256
a6477205ef1bd79cf5306cfa59940e34bf328ba2b447697d59d3936449f58ba5
-
SHA512
322f638cfc24b2ac4d7efdc872dd7760f6143315f1f7509baf703f76007c7ca38afd6f416b74bd73113664cec7a1f53790a9561002ac7d573efe11316627ed83
Malware Config
Signatures
-
Processes:
11-10-2020 NEW SPECIF #3309 MCHN.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 11-10-2020 NEW SPECIF #3309 MCHN.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
11-10-2020 NEW SPECIF #3309 MCHN.exepid process 1632 11-10-2020 NEW SPECIF #3309 MCHN.exe 1632 11-10-2020 NEW SPECIF #3309 MCHN.exe 1632 11-10-2020 NEW SPECIF #3309 MCHN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
11-10-2020 NEW SPECIF #3309 MCHN.exepid process 1632 11-10-2020 NEW SPECIF #3309 MCHN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11-10-2020 NEW SPECIF #3309 MCHN.exedescription pid process Token: SeDebugPrivilege 1632 11-10-2020 NEW SPECIF #3309 MCHN.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
11-10-2020 NEW SPECIF #3309 MCHN.exedescription pid process target process PID 1632 wrote to memory of 4660 1632 11-10-2020 NEW SPECIF #3309 MCHN.exe schtasks.exe PID 1632 wrote to memory of 4660 1632 11-10-2020 NEW SPECIF #3309 MCHN.exe schtasks.exe PID 1632 wrote to memory of 4660 1632 11-10-2020 NEW SPECIF #3309 MCHN.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11-10-2020 NEW SPECIF #3309 MCHN.exe"C:\Users\Admin\AppData\Local\Temp\11-10-2020 NEW SPECIF #3309 MCHN.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD5E3.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD5E3.tmpFilesize
1KB
MD573055fa6866d1d95c05d5878d1df7e00
SHA1a6cd517073fac1c1a56660e9d5b843a11fad029b
SHA256c9c9a74adf008d013f4583ee02c7e9b2a6265e25c0ed07628718e39a78ff059f
SHA51273afba1cc00eba3c09053fc3ee17d01ab92e409f28796fa6d40bad6f4185e1910380cec3f19bde0fa151b17dbdee2b490e357ad6d5d07fca4e5dff8c305e416b
-
memory/1632-130-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/4660-131-0x0000000000000000-mapping.dmp