5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06

General

Target

5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06.exe
Size

580KB
MD5

298a7bb14964164ccf5aa618d05a8f14
SHA1

e77c1ff60100d5cab554166a4c7a00003e2d67e6
SHA256

5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06
SHA512

f0c1c5a9080d263e51c647147ad21a1ad93d7f6fbfc7d25528a94c11a203d43728560ba41223a058a4f306455aaf6605c58477e967764b096564b01184afbe61

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

infoweb.exeinfoweb.exe

pid process

892 infoweb.exe
2024 infoweb.exe

pid	process
892	infoweb.exe
2024	infoweb.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/620-55-0x0000000000400000-0x000000000054C000-memory.dmp	upx
\Users\Admin\AppData\Roaming\infoweb.exe	upx
C:\Users\Admin\AppData\Roaming\infoweb.exe	upx
behavioral1/memory/620-60-0x0000000000400000-0x000000000054C000-memory.dmp	upx
behavioral1/memory/892-63-0x0000000000400000-0x000000000054C000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\infoweb.exe	upx
behavioral1/memory/892-66-0x0000000000400000-0x000000000054C000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\infoweb.exe	upx
behavioral1/memory/892-70-0x0000000000400000-0x000000000054C000-memory.dmp	upx
behavioral1/memory/2024-71-0x0000000000400000-0x000000000054C000-memory.dmp	upx
behavioral1/memory/2024-75-0x0000000000400000-0x000000000054C000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06.exe

pid process

620 5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06.exe
Drops file in System32 directory 1 IoCs

Processes:

infoweb.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\settings.bat infoweb.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1256 schtasks.exe
1332 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

infoweb.exeinfoweb.exe

pid process

892 infoweb.exe
2024 infoweb.exe

pid	process
620	5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\settings.bat	infoweb.exe

pid	process
1256	schtasks.exe
1332	schtasks.exe

pid	process
892	infoweb.exe
2024	infoweb.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06.exeinfoweb.execmd.exetaskeng.exeinfoweb.execmd.exe

description	pid	process	target process
PID 620 wrote to memory of 892	620	5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06.exe	infoweb.exe
PID 620 wrote to memory of 892	620	5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06.exe	infoweb.exe
PID 620 wrote to memory of 892	620	5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06.exe	infoweb.exe
PID 620 wrote to memory of 892	620	5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06.exe	infoweb.exe
PID 892 wrote to memory of 1692	892	infoweb.exe	cmd.exe
PID 892 wrote to memory of 1692	892	infoweb.exe	cmd.exe
PID 892 wrote to memory of 1692	892	infoweb.exe	cmd.exe
PID 892 wrote to memory of 1692	892	infoweb.exe	cmd.exe
PID 1692 wrote to memory of 1256	1692	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 1256	1692	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 1256	1692	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 1256	1692	cmd.exe	schtasks.exe
PID 1696 wrote to memory of 2024	1696	taskeng.exe	infoweb.exe
PID 1696 wrote to memory of 2024	1696	taskeng.exe	infoweb.exe
PID 1696 wrote to memory of 2024	1696	taskeng.exe	infoweb.exe
PID 1696 wrote to memory of 2024	1696	taskeng.exe	infoweb.exe
PID 2024 wrote to memory of 1500	2024	infoweb.exe	cmd.exe
PID 2024 wrote to memory of 1500	2024	infoweb.exe	cmd.exe
PID 2024 wrote to memory of 1500	2024	infoweb.exe	cmd.exe
PID 2024 wrote to memory of 1500	2024	infoweb.exe	cmd.exe
PID 1500 wrote to memory of 1332	1500	cmd.exe	schtasks.exe
PID 1500 wrote to memory of 1332	1500	cmd.exe	schtasks.exe
PID 1500 wrote to memory of 1332	1500	cmd.exe	schtasks.exe
PID 1500 wrote to memory of 1332	1500	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06.exe
"C:\Users\Admin\AppData\Local\Temp\5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Roaming\infoweb.exe
C:\Users\Admin\AppData\Roaming\infoweb.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c settings.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn Web\Host /tr C:\Users\Admin\Appdata\Roaming\infoweb.exe /st 00:00 /sc once /du 9999:59 /ri 5 /f
4⤵
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\taskeng.exe
taskeng.exe {0A53C8CA-E219-48CA-9E1F-01B3E6C606CE} S-1-5-21-335065374-4263250628-1829373619-1000:RTYPLWYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\Appdata\Roaming\infoweb.exe
C:\Users\Admin\Appdata\Roaming\infoweb.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c settings.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn Web\Host /tr C:\Users\Admin\Appdata\Roaming\infoweb.exe /st 00:00 /sc once /du 9999:59 /ri 5 /f
4⤵
- Creates scheduled task(s)
PID:1332

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\settings.bat
Filesize
115B

MD5
4590cc753442db2e177fc1ae689e8de9

SHA1
3741442fc3909653575d9751297b24964836fe26

SHA256
a9195576c7304cf14a5c511121fcf1603b1163946302e5c682f16b3b21a20297

SHA512
3b55dce2e8db62c4a2a03ddf893067bbc6bb189e11e74d73331b03aae1aea107555705aaa739800e65190cc345542d458ebf963caf704f47c9167ed923218763

Download Submit
C:\Users\Admin\AppData\Roaming\infoweb.exe
Filesize
580KB

MD5
298a7bb14964164ccf5aa618d05a8f14

SHA1
e77c1ff60100d5cab554166a4c7a00003e2d67e6

SHA256
5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06

SHA512
f0c1c5a9080d263e51c647147ad21a1ad93d7f6fbfc7d25528a94c11a203d43728560ba41223a058a4f306455aaf6605c58477e967764b096564b01184afbe61

Download Submit
C:\Users\Admin\AppData\Roaming\infoweb.exe
Filesize
580KB

MD5
298a7bb14964164ccf5aa618d05a8f14

SHA1
e77c1ff60100d5cab554166a4c7a00003e2d67e6

SHA256
5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06

SHA512
f0c1c5a9080d263e51c647147ad21a1ad93d7f6fbfc7d25528a94c11a203d43728560ba41223a058a4f306455aaf6605c58477e967764b096564b01184afbe61

Download Submit
C:\Users\Admin\AppData\Roaming\infoweb.exe
Filesize
580KB

MD5
298a7bb14964164ccf5aa618d05a8f14

SHA1
e77c1ff60100d5cab554166a4c7a00003e2d67e6

SHA256
5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06

SHA512
f0c1c5a9080d263e51c647147ad21a1ad93d7f6fbfc7d25528a94c11a203d43728560ba41223a058a4f306455aaf6605c58477e967764b096564b01184afbe61

Download Submit
C:\Windows\SysWOW64\settings.bat
Filesize
115B

MD5
4590cc753442db2e177fc1ae689e8de9

SHA1
3741442fc3909653575d9751297b24964836fe26

SHA256
a9195576c7304cf14a5c511121fcf1603b1163946302e5c682f16b3b21a20297

SHA512
3b55dce2e8db62c4a2a03ddf893067bbc6bb189e11e74d73331b03aae1aea107555705aaa739800e65190cc345542d458ebf963caf704f47c9167ed923218763

Download Submit
\Users\Admin\AppData\Roaming\infoweb.exe
Filesize
580KB

MD5
298a7bb14964164ccf5aa618d05a8f14

SHA1
e77c1ff60100d5cab554166a4c7a00003e2d67e6

SHA256
5be609375faa67469b289f257af8a5c9d5dc56fc444413828d3c59d2f2519b06

SHA512
f0c1c5a9080d263e51c647147ad21a1ad93d7f6fbfc7d25528a94c11a203d43728560ba41223a058a4f306455aaf6605c58477e967764b096564b01184afbe61

Download Submit
memory/620-60-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/620-54-0x0000000075311000-0x0000000075313000-memory.dmp

Filesize
8KB

Download
memory/620-55-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/892-57-0x0000000000000000-mapping.dmp

Download
memory/892-66-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/892-70-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/892-63-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1256-64-0x0000000000000000-mapping.dmp

Download
memory/1332-74-0x0000000000000000-mapping.dmp

Download
memory/1500-72-0x0000000000000000-mapping.dmp

Download
memory/1692-61-0x0000000000000000-mapping.dmp

Download
memory/2024-67-0x0000000000000000-mapping.dmp

Download
memory/2024-71-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2024-75-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads