acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63

Analysis

max time kernel
291s
max time network
182s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
16-09-2022 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63.exe
Size

2.2MB
MD5

b0e2f4f332576bc0518721f042beb797
SHA1

e79e20983ad2a8f68327750ce790e84cc3ebd47d
SHA256

acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63
SHA512

95198982892f9767e490a3428302a8be84fa8ea03cbe2d7c5b7c214f3fcd42770aa24c69271f038378223914a059d617264ae94f327601faa007ef139e96e7fa
SSDEEP

49152:9MSlDi3ntoJ4K8vq9cFEB5dVuxq4kaw+Qui3J7uJDgkI:5lD85qIEBD7awKW7uJDg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4388	eventvwr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2704	acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63.exe
4388	eventvwr.exe
4388	eventvwr.exe
4388	eventvwr.exe
4388	eventvwr.exe
4388	eventvwr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3564	2704	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4108	schtasks.exe
3436	schtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2704	acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63.exe
4388	eventvwr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4108	2704	acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63.exe	67
PID 2704 wrote to memory of 4108	2704	acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63.exe	67
PID 2704 wrote to memory of 4108	2704	acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63.exe	67
PID 2704 wrote to memory of 4820	2704	acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63.exe	68
PID 2704 wrote to memory of 4820	2704	acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63.exe	68
PID 2704 wrote to memory of 4820	2704	acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63.exe	68
PID 4388 wrote to memory of 3436	4388	eventvwr.exe	73
PID 4388 wrote to memory of 3436	4388	eventvwr.exe	73
PID 4388 wrote to memory of 3436	4388	eventvwr.exe	73

C:\Users\Admin\AppData\Local\Temp\acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63.exe
"C:\Users\Admin\AppData\Local\Temp\acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4108
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Event Viewer Snap-in Launcher (29762912)"
  2⤵
  PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 688
  2⤵
  - Program crash
  PID:3564

C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe

Filesize
2.2MB

MD5
b0e2f4f332576bc0518721f042beb797

SHA1
e79e20983ad2a8f68327750ce790e84cc3ebd47d

SHA256
acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63

SHA512
95198982892f9767e490a3428302a8be84fa8ea03cbe2d7c5b7c214f3fcd42770aa24c69271f038378223914a059d617264ae94f327601faa007ef139e96e7fa

Download Submit
C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe

Filesize
2.2MB

MD5
b0e2f4f332576bc0518721f042beb797

SHA1
e79e20983ad2a8f68327750ce790e84cc3ebd47d

SHA256
acec2cb8ba414dee716ba5a90908121d64482a56eb2e8da78f7bf62f25846c63

SHA512
95198982892f9767e490a3428302a8be84fa8ea03cbe2d7c5b7c214f3fcd42770aa24c69271f038378223914a059d617264ae94f327601faa007ef139e96e7fa

Download Submit
memory/2704-150-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-137-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-117-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-118-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-119-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-151-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-121-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-122-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-123-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-124-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-125-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-126-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-127-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-128-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-129-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-130-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-132-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-133-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-134-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-135-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-136-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-165-0x000000007E7E0000-0x000000007EBB1000-memory.dmp

Filesize
3.8MB

Download
memory/2704-131-0x0000000000D10000-0x000000000167B000-memory.dmp

Filesize
9.4MB

Download
memory/2704-138-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-139-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-140-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-141-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-142-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-144-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-145-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-143-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-146-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-148-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-147-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-115-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-149-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-120-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-152-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-116-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-191-0x0000000000D10000-0x000000000167B000-memory.dmp

Filesize
9.4MB

Download
memory/3436-230-0x0000000000000000-mapping.dmp

Download
memory/4108-153-0x0000000000000000-mapping.dmp

Download
memory/4108-170-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-157-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-158-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-159-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-161-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-164-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-167-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-168-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-166-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-169-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-163-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-162-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-160-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-155-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-156-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-154-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-171-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4108-172-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4388-249-0x0000000001140000-0x0000000001AAB000-memory.dmp

Filesize
9.4MB

Download
memory/4388-251-0x0000000001140000-0x0000000001AAB000-memory.dmp

Filesize
9.4MB

Download
memory/4388-250-0x000000007ECC0000-0x000000007F091000-memory.dmp

Filesize
3.8MB

Download
memory/4820-180-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-179-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-178-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-173-0x0000000000000000-mapping.dmp

Download
memory/4820-176-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-175-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-181-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-182-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-177-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-174-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads