661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4

General

Target

661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe
Size

2.2MB
MD5

59af86112d909203945c2c7c90619ea5
SHA1

4620295a416ee9d529c301cc8b77835dd4d99734
SHA256

661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4
SHA512

7f8c92a647a62b2755d12231f862b76ee2c28c61bd642c84a75d0c8cccc3663e6dd419c06817dc12261d95d763a311d152b73d20442bb4f957b862c99f6b5ef3
SSDEEP

49152:Dx5aZlC/gpB3lGqVUOCL4k1OimoZ37Uim+gfzSxBcsGH/FBnRx:DbaZwEBVGqVUOq4qOfilgbSzXGfBx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1184	eventvwr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1480	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe
1184	eventvwr.exe
1184	eventvwr.exe
1184	eventvwr.exe
1184	eventvwr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
112	1480	WerFault.exe	26

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1880	schtasks.exe
1752	schtasks.exe
968	schtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1480	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe
1184	eventvwr.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1880	1480	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	27
PID 1480 wrote to memory of 1880	1480	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	27
PID 1480 wrote to memory of 1880	1480	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	27
PID 1480 wrote to memory of 1880	1480	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	27
PID 1480 wrote to memory of 1952	1480	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	29
PID 1480 wrote to memory of 1952	1480	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	29
PID 1480 wrote to memory of 1952	1480	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	29
PID 1480 wrote to memory of 1952	1480	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	29
PID 1720 wrote to memory of 1184	1720	taskeng.exe	34
PID 1720 wrote to memory of 1184	1720	taskeng.exe	34
PID 1720 wrote to memory of 1184	1720	taskeng.exe	34
PID 1720 wrote to memory of 1184	1720	taskeng.exe	34
PID 1184 wrote to memory of 968	1184	eventvwr.exe	36
PID 1184 wrote to memory of 968	1184	eventvwr.exe	36
PID 1184 wrote to memory of 968	1184	eventvwr.exe	36
PID 1184 wrote to memory of 968	1184	eventvwr.exe	36

C:\Users\Admin\AppData\Local\Temp\661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe
"C:\Users\Admin\AppData\Local\Temp\661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1880
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Event Viewer Snap-in Launcher (29762912)"
  2⤵
  PID:1952
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Event Viewer Snap-in Launcher (29762912)" /XML "C:\Users\Admin\AppData\Roaming\EventViewer\tfnme73946158264.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 296
  2⤵
  - Program crash
  PID:112

C:\Windows\system32\taskeng.exe
taskeng.exe {E35CE622-82A9-4972-8B5D-AAF808D567CB} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
  C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe

Filesize
2.2MB

MD5
59af86112d909203945c2c7c90619ea5

SHA1
4620295a416ee9d529c301cc8b77835dd4d99734

SHA256
661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4

SHA512
7f8c92a647a62b2755d12231f862b76ee2c28c61bd642c84a75d0c8cccc3663e6dd419c06817dc12261d95d763a311d152b73d20442bb4f957b862c99f6b5ef3

Download Submit
C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe

Filesize
2.2MB

MD5
59af86112d909203945c2c7c90619ea5

SHA1
4620295a416ee9d529c301cc8b77835dd4d99734

SHA256
661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4

SHA512
7f8c92a647a62b2755d12231f862b76ee2c28c61bd642c84a75d0c8cccc3663e6dd419c06817dc12261d95d763a311d152b73d20442bb4f957b862c99f6b5ef3

Download Submit
memory/1184-64-0x0000000000FB0000-0x000000000191A000-memory.dmp

Filesize
9.4MB

Download
memory/1184-65-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1184-66-0x0000000000FB0000-0x000000000191A000-memory.dmp

Filesize
9.4MB

Download
memory/1184-67-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1480-58-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1480-57-0x0000000000A60000-0x00000000013CA000-memory.dmp

Filesize
9.4MB

Download
memory/1480-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads