Analysis

  • max time kernel
    54s
  • max time network
    117s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17-09-2022 16:25

General

  • Target

    a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe

  • Size

    903KB

  • MD5

    d59070df40cdc5587c12177ec520eb7f

  • SHA1

    bcb530e8b6b8395345863f96876244984f2bf767

  • SHA256

    a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2

  • SHA512

    47c37fcb8c8a638fd66e3faddd10ca0f685343e8660d472923b5c9afeefd3a185686792c382e2392fa8a965342c750618711a91950763d76c94b5eaf3da7c944

  • SSDEEP

    768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 9 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe
    "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
        3⤵
        • Creates scheduled task(s)
        PID:3856
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2220
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
        3⤵
        • Creates scheduled task(s)
        PID:4032
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
        3⤵
        • Creates scheduled task(s)
        PID:3752
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
      2⤵
        PID:5092
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1713" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
        2⤵
          PID:1528
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
            3⤵
            • Creates scheduled task(s)
            PID:2992
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
            3⤵
            • Creates scheduled task(s)
            PID:4428
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
          2⤵
            PID:4108
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk814" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
            2⤵
              PID:1280
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1966" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:372
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1966" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
                3⤵
                • Creates scheduled task(s)
                PID:3964
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1281" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3552
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1281" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"
                3⤵
                • Creates scheduled task(s)
                PID:3724
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1320
              2⤵
              • Program crash
              PID:860

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/372-217-0x0000000000000000-mapping.dmp

          • memory/1280-207-0x0000000000000000-mapping.dmp

          • memory/1428-191-0x0000000000000000-mapping.dmp

          • memory/1528-202-0x0000000000000000-mapping.dmp

          • memory/2196-160-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-149-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-122-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-123-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-124-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-125-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-126-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-127-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-128-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-129-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-130-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-131-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-132-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-133-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-134-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-135-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-136-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-137-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-138-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-139-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-140-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-141-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-142-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-120-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-144-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-145-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-146-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-147-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-148-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-161-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-150-0x0000000000780000-0x0000000000830000-memory.dmp

            Filesize

            704KB

          • memory/2196-151-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-152-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-153-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-154-0x00000000055C0000-0x0000000005ABE000-memory.dmp

            Filesize

            5.0MB

          • memory/2196-155-0x00000000050C0000-0x0000000005152000-memory.dmp

            Filesize

            584KB

          • memory/2196-156-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-157-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-158-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-159-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-143-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-121-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-117-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-163-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-164-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-165-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-166-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-167-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-168-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-169-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-170-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-171-0x0000000002D20000-0x0000000002D2A000-memory.dmp

            Filesize

            40KB

          • memory/2196-118-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-119-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2196-162-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/2220-247-0x0000000000000000-mapping.dmp

          • memory/2960-197-0x0000000000000000-mapping.dmp

          • memory/2992-243-0x0000000000000000-mapping.dmp

          • memory/3552-212-0x0000000000000000-mapping.dmp

          • memory/3724-242-0x0000000000000000-mapping.dmp

          • memory/3752-245-0x0000000000000000-mapping.dmp

          • memory/3856-246-0x0000000000000000-mapping.dmp

          • memory/3964-244-0x0000000000000000-mapping.dmp

          • memory/4032-248-0x0000000000000000-mapping.dmp

          • memory/4108-186-0x0000000000000000-mapping.dmp

          • memory/4148-179-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/4148-183-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/4148-172-0x0000000000000000-mapping.dmp

          • memory/4148-176-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/4148-174-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/4428-249-0x0000000000000000-mapping.dmp

          • memory/4780-180-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/4780-175-0x0000000000000000-mapping.dmp

          • memory/4780-189-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/4780-184-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/4796-187-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/4796-182-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/4796-173-0x0000000000000000-mapping.dmp

          • memory/4796-177-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/5020-188-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/5020-185-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB

          • memory/5020-178-0x0000000000000000-mapping.dmp

          • memory/5092-181-0x0000000000000000-mapping.dmp

          • memory/5092-190-0x0000000077660000-0x00000000777EE000-memory.dmp

            Filesize

            1.6MB