526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d

General

Target

526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Size

25KB
MD5

b24dbc4599f68ca571980900b3fd29e6
SHA1

8825a7e3aaa41d597a0e5209e8a6cedaa156d31c
SHA256

526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d
SHA512

bce4def09ea780901e74d9434f8bb5497cb29c16e806aa55c92802c71b2bdbfe178ab4a71fbcb8a0597fbce5679ec17a8cce8084e22853e089c90b436e857e54

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Server.exeServer.exe

pid process

3512 Server.exe
3876 Server.exe

pid	process
3512	Server.exe
3876	Server.exe

Drops startup file 2 IoCs

Processes:

526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe\" .."	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe\" .."	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2660 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exeServer.exe

pid process

4540 526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
3512 Server.exe

pid	process
2660	schtasks.exe

pid	process
4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
3512	Server.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe

description	pid	process
Token: SeDebugPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: 33	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
Token: SeIncBasePriorityPrivilege	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe

description	pid	process	target process
PID 4540 wrote to memory of 2660	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe	schtasks.exe
PID 4540 wrote to memory of 2660	4540	526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe
"C:\Users\Admin\AppData\Local\Temp\526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Creates scheduled task(s)
PID:2660

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3512

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
PID:3876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Server.exe.log
Filesize
1KB

MD5
a8a147915e3a996fdbe10b3a3f1e1bb2

SHA1
abc564c1be468d57e700913e7b6cf8f62d421263

SHA256
8b96a8557deea66696837af011843d6a82451ba57c8f9b5a2726a70818d6fc7e

SHA512
17b42f17ef60a9f625703172763f692e5ed2ca93564a97853dfa72bb0ac6305ef3267aea0b205938e3aa8eac10156d9d4f322b30d0329d92d647bcec6372731c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
25KB

MD5
b24dbc4599f68ca571980900b3fd29e6

SHA1
8825a7e3aaa41d597a0e5209e8a6cedaa156d31c

SHA256
526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d

SHA512
bce4def09ea780901e74d9434f8bb5497cb29c16e806aa55c92802c71b2bdbfe178ab4a71fbcb8a0597fbce5679ec17a8cce8084e22853e089c90b436e857e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
25KB

MD5
b24dbc4599f68ca571980900b3fd29e6

SHA1
8825a7e3aaa41d597a0e5209e8a6cedaa156d31c

SHA256
526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d

SHA512
bce4def09ea780901e74d9434f8bb5497cb29c16e806aa55c92802c71b2bdbfe178ab4a71fbcb8a0597fbce5679ec17a8cce8084e22853e089c90b436e857e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
25KB

MD5
b24dbc4599f68ca571980900b3fd29e6

SHA1
8825a7e3aaa41d597a0e5209e8a6cedaa156d31c

SHA256
526bb9a7cfa4440e781c41f3041438924ac1585a5b8c83d9eeb4b23a7b5d308d

SHA512
bce4def09ea780901e74d9434f8bb5497cb29c16e806aa55c92802c71b2bdbfe178ab4a71fbcb8a0597fbce5679ec17a8cce8084e22853e089c90b436e857e54

Download Submit
memory/2660-132-0x0000000000000000-mapping.dmp

Download
memory/3512-136-0x00007FF9DF670000-0x00007FF9E0131000-memory.dmp

Filesize
10.8MB

Download
memory/3512-137-0x00007FF9DF670000-0x00007FF9E0131000-memory.dmp

Filesize
10.8MB

Download
memory/3876-140-0x00007FF9DF670000-0x00007FF9E0131000-memory.dmp

Filesize
10.8MB

Download
memory/3876-141-0x00007FF9DF670000-0x00007FF9E0131000-memory.dmp

Filesize
10.8MB

Download
memory/4540-130-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/4540-131-0x00007FF9DF670000-0x00007FF9E0131000-memory.dmp

Filesize
10.8MB

Download
memory/4540-133-0x00007FF9DF670000-0x00007FF9E0131000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads