79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe
Size

1.9MB
MD5

2d75c455e4f2390c0337a79b3b36dd56
SHA1

56de862a7247cc9a8225c02195981eef8f6bf678
SHA256

79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2
SHA512

cfb04ad55fca10d20268267fe19f341c9e001729e960e6b49281a40e853ff4f440a1c2640706abe47b0e6f88f077153601c464bc8315b4dc8e0008ee6bd3d5ca
SSDEEP

49152:J5WzV7UpOOYICbk7mCgIVvOAybr5dKcsZ/F2T:PCV4pO+Cbk6qxO2V/

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4516	netsh.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\IYMUGYHL651.txt	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe
File created	C:\Windows\svchost.exe	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe
File opened for modification	C:\Windows\svchost.exe	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
216	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2396	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 232	2396	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	85
PID 2396 wrote to memory of 232	2396	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	85
PID 2396 wrote to memory of 232	2396	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	85
PID 2396 wrote to memory of 216	2396	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	86
PID 2396 wrote to memory of 216	2396	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	86
PID 2396 wrote to memory of 216	2396	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	86
PID 232 wrote to memory of 4516	232	cmd.exe	89
PID 232 wrote to memory of 4516	232	cmd.exe	89
PID 232 wrote to memory of 4516	232	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe
"C:\Users\Admin\AppData\Local\Temp\79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2396
- C:\WINDOWS\SysWOW64\cmd.exe
  C:\WINDOWS\system32\cmd.exe /c "netsh firewall set opmode mode = disable"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode = disable
    3⤵
    - Modifies Windows Firewall
    PID:4516
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn startt /tr c:\start.bat /sc onstart /ru system
  2⤵
  - Creates scheduled task(s)
  PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads