f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891

General

Target

f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe
Size

2.2MB
MD5

954b7677eb947236a313bd1fb0407067
SHA1

77f87d4d8b12ba64b28cc8536ebf40dcec51f195
SHA256

f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891
SHA512

1c1bbf76f125b922c3da154a781dc7a59aafb57362dd8a642a43a26d1fbbad463c9330c4f77c658c634b5064312d0888993d7384da88f9b303ce894ef8db6f1f
SSDEEP

49152:2pS0zCZLl3G0u84DzZmg+rZhJQMJDh3IkyRusbg:2T2hDu84Bmhrz/JDh3IkyRr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
808	eventvwr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1688	f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe
1688	f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe
808	eventvwr.exe
808	eventvwr.exe
808	eventvwr.exe
808	eventvwr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2040	1688	WerFault.exe	14

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1032	schtasks.exe
2024	schtasks.exe
1552	schtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1688	f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe
808	eventvwr.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1032	1688	f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe	19
PID 1688 wrote to memory of 1032	1688	f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe	19
PID 1688 wrote to memory of 1032	1688	f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe	19
PID 1688 wrote to memory of 1032	1688	f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe	19
PID 1688 wrote to memory of 1136	1688	f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe	32
PID 1688 wrote to memory of 1136	1688	f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe	32
PID 1688 wrote to memory of 1136	1688	f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe	32
PID 1688 wrote to memory of 1136	1688	f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe	32
PID 1160 wrote to memory of 808	1160	taskeng.exe	34
PID 1160 wrote to memory of 808	1160	taskeng.exe	34
PID 1160 wrote to memory of 808	1160	taskeng.exe	34
PID 1160 wrote to memory of 808	1160	taskeng.exe	34
PID 808 wrote to memory of 1552	808	eventvwr.exe	35
PID 808 wrote to memory of 1552	808	eventvwr.exe	35
PID 808 wrote to memory of 1552	808	eventvwr.exe	35
PID 808 wrote to memory of 1552	808	eventvwr.exe	35

C:\Users\Admin\AppData\Local\Temp\f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe
"C:\Users\Admin\AppData\Local\Temp\f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 296
  2⤵
  - Program crash
  PID:2040
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Event Viewer Snap-in Launcher (29762912)" /XML "C:\Users\Admin\AppData\Roaming\EventViewer\tfnme73946158264.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2024
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Event Viewer Snap-in Launcher (29762912)"
  2⤵
  PID:1136

C:\Windows\system32\taskeng.exe
taskeng.exe {CA6C0AD6-27AB-489B-8F37-D40F79F5DBFB} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
  C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe

Filesize
2.2MB

MD5
954b7677eb947236a313bd1fb0407067

SHA1
77f87d4d8b12ba64b28cc8536ebf40dcec51f195

SHA256
f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891

SHA512
1c1bbf76f125b922c3da154a781dc7a59aafb57362dd8a642a43a26d1fbbad463c9330c4f77c658c634b5064312d0888993d7384da88f9b303ce894ef8db6f1f

Download Submit
C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe

Filesize
2.2MB

MD5
954b7677eb947236a313bd1fb0407067

SHA1
77f87d4d8b12ba64b28cc8536ebf40dcec51f195

SHA256
f9a994e6e546c540ddb863a31066a483c5d8fc21478348ecf6a60c7bc8a01891

SHA512
1c1bbf76f125b922c3da154a781dc7a59aafb57362dd8a642a43a26d1fbbad463c9330c4f77c658c634b5064312d0888993d7384da88f9b303ce894ef8db6f1f

Download Submit
memory/808-63-0x00000000001C0000-0x0000000000B2D000-memory.dmp

Filesize
9.4MB

Download
memory/808-60-0x0000000000000000-mapping.dmp

Download
memory/808-64-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/808-66-0x00000000001C0000-0x0000000000B2D000-memory.dmp

Filesize
9.4MB

Download
memory/808-67-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1032-55-0x0000000000000000-mapping.dmp

Download
memory/1136-56-0x0000000000000000-mapping.dmp

Download
memory/1552-65-0x0000000000000000-mapping.dmp

Download
memory/1688-58-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1688-57-0x0000000000AD0000-0x000000000143D000-memory.dmp

Filesize
9.4MB

Download
memory/1688-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads