e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6

General

Target

e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe
Size

2.0MB
MD5

4b2f52a5a9d6f4fbe5839cdeba0780fb
SHA1

eae2e0e28d503d2add491d00105e5ea72606aeb8
SHA256

e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6
SHA512

384490a7c9dcaf3139f5cc9e253eb914dec1a1c15b860ad53322082118a36727bfb9f267fb6709410f93b8c113ec52c4ad287882b1abef5b720e1952eeced28c
SSDEEP

49152:eBKnLQEGjYIDTI2ePP4Qudz7XxlhcJj9NX9qCWpCS:eBvjYIPI2evudhlGJo9pN

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1276	eventvwr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1496	e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe
1496	e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe
1276	eventvwr.exe
1276	eventvwr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	1496	WerFault.exe	25

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2040	schtasks.exe
1436	schtasks.exe
1604	schtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1496	e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe
1276	eventvwr.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2040	1496	e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe	27
PID 1496 wrote to memory of 2040	1496	e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe	27
PID 1496 wrote to memory of 2040	1496	e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe	27
PID 1496 wrote to memory of 2040	1496	e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe	27
PID 1496 wrote to memory of 1904	1496	e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe	29
PID 1496 wrote to memory of 1904	1496	e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe	29
PID 1496 wrote to memory of 1904	1496	e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe	29
PID 1496 wrote to memory of 1904	1496	e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe	29
PID 1716 wrote to memory of 1276	1716	taskeng.exe	34
PID 1716 wrote to memory of 1276	1716	taskeng.exe	34
PID 1716 wrote to memory of 1276	1716	taskeng.exe	34
PID 1716 wrote to memory of 1276	1716	taskeng.exe	34
PID 1276 wrote to memory of 1604	1276	eventvwr.exe	35
PID 1276 wrote to memory of 1604	1276	eventvwr.exe	35
PID 1276 wrote to memory of 1604	1276	eventvwr.exe	35
PID 1276 wrote to memory of 1604	1276	eventvwr.exe	35

C:\Users\Admin\AppData\Local\Temp\e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe
"C:\Users\Admin\AppData\Local\Temp\e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2040
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Event Viewer Snap-in Launcher (29762912)"
  2⤵
  PID:1904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 296
  2⤵
  - Program crash
  PID:1204
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Event Viewer Snap-in Launcher (29762912)" /XML "C:\Users\Admin\AppData\Roaming\EventViewer\tfnme73946158264.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1436

C:\Windows\system32\taskeng.exe
taskeng.exe {85632B10-A38E-4C94-A3E3-D1D3605AFD1C} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
  C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe

Filesize
2.0MB

MD5
4b2f52a5a9d6f4fbe5839cdeba0780fb

SHA1
eae2e0e28d503d2add491d00105e5ea72606aeb8

SHA256
e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6

SHA512
384490a7c9dcaf3139f5cc9e253eb914dec1a1c15b860ad53322082118a36727bfb9f267fb6709410f93b8c113ec52c4ad287882b1abef5b720e1952eeced28c

Download Submit
C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe

Filesize
2.0MB

MD5
4b2f52a5a9d6f4fbe5839cdeba0780fb

SHA1
eae2e0e28d503d2add491d00105e5ea72606aeb8

SHA256
e0b7c23920e0dbb946862fbbbdd55bf2fd400e654c352d7e5d46b250fbfc20d6

SHA512
384490a7c9dcaf3139f5cc9e253eb914dec1a1c15b860ad53322082118a36727bfb9f267fb6709410f93b8c113ec52c4ad287882b1abef5b720e1952eeced28c

Download Submit
memory/1276-67-0x0000000000DC0000-0x000000000170C000-memory.dmp

Filesize
9.3MB

Download
memory/1276-66-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1276-65-0x0000000000DC0000-0x000000000170C000-memory.dmp

Filesize
9.3MB

Download
memory/1496-57-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1496-59-0x00000000008C0000-0x000000000120C000-memory.dmp

Filesize
9.3MB

Download
memory/1496-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/1496-56-0x00000000008C0000-0x000000000120C000-memory.dmp

Filesize
9.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads