661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4

Analysis

max time kernel
291s
max time network
180s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25/09/2022, 10:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe
Size

2.2MB
MD5

59af86112d909203945c2c7c90619ea5
SHA1

4620295a416ee9d529c301cc8b77835dd4d99734
SHA256

661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4
SHA512

7f8c92a647a62b2755d12231f862b76ee2c28c61bd642c84a75d0c8cccc3663e6dd419c06817dc12261d95d763a311d152b73d20442bb4f957b862c99f6b5ef3
SSDEEP

49152:Dx5aZlC/gpB3lGqVUOCL4k1OimoZ37Uim+gfzSxBcsGH/FBnRx:DbaZwEBVGqVUOq4qOfilgbSzXGfBx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
436	eventvwr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe
2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe
436	eventvwr.exe
436	eventvwr.exe
436	eventvwr.exe
436	eventvwr.exe
436	eventvwr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4304	2496	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4628	schtasks.exe
1388	schtasks.exe
4136	schtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe
436	eventvwr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 4628	2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	66
PID 2496 wrote to memory of 4628	2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	66
PID 2496 wrote to memory of 4628	2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	66
PID 2496 wrote to memory of 2340	2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	68
PID 2496 wrote to memory of 2340	2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	68
PID 2496 wrote to memory of 2340	2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	68
PID 2496 wrote to memory of 1388	2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	70
PID 2496 wrote to memory of 1388	2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	70
PID 2496 wrote to memory of 1388	2496	661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe	70
PID 436 wrote to memory of 4136	436	eventvwr.exe	75
PID 436 wrote to memory of 4136	436	eventvwr.exe	75
PID 436 wrote to memory of 4136	436	eventvwr.exe	75

C:\Users\Admin\AppData\Local\Temp\661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe
"C:\Users\Admin\AppData\Local\Temp\661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4628
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Event Viewer Snap-in Launcher (29762912)"
  2⤵
  PID:2340
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Event Viewer Snap-in Launcher (29762912)" /XML "C:\Users\Admin\AppData\Roaming\EventViewer\tfnme73946158264.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 324
  2⤵
  - Program crash
  PID:4304

C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe

Filesize
2.2MB

MD5
59af86112d909203945c2c7c90619ea5

SHA1
4620295a416ee9d529c301cc8b77835dd4d99734

SHA256
661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4

SHA512
7f8c92a647a62b2755d12231f862b76ee2c28c61bd642c84a75d0c8cccc3663e6dd419c06817dc12261d95d763a311d152b73d20442bb4f957b862c99f6b5ef3

Download Submit
C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe

Filesize
2.2MB

MD5
59af86112d909203945c2c7c90619ea5

SHA1
4620295a416ee9d529c301cc8b77835dd4d99734

SHA256
661e7fa1d1e6d6f6075e778a37860bda4bbe9c407b1dc41298b1fc4f5abea2c4

SHA512
7f8c92a647a62b2755d12231f862b76ee2c28c61bd642c84a75d0c8cccc3663e6dd419c06817dc12261d95d763a311d152b73d20442bb4f957b862c99f6b5ef3

Download Submit
C:\Users\Admin\AppData\Roaming\EventViewer\tfnme73946158264.tmp

Filesize
1KB

MD5
51ecf66b058a5e4079008012d8619179

SHA1
383c7a40e2e35aba5cbd5b0788ffd4eca6633c87

SHA256
c5db46548c03324cb73d2aa98d9c733acd096e6d7c4b5e3839476d0aeea42c32

SHA512
505c390972f1dd9d6caa61c9ca40d232b20610fd1c2c8743639baf4feef0f129fcf254c07a09cb26051dec551329e53b8b3735f5673ea9a508fe8ee8cfdb3aa8

Download Submit
memory/436-273-0x000000007DF90000-0x000000007E361000-memory.dmp

Filesize
3.8MB

Download
memory/436-272-0x0000000001190000-0x0000000001AFA000-memory.dmp

Filesize
9.4MB

Download
memory/436-269-0x000000007DF90000-0x000000007E361000-memory.dmp

Filesize
3.8MB

Download
memory/436-268-0x0000000001190000-0x0000000001AFA000-memory.dmp

Filesize
9.4MB

Download
memory/2340-184-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-183-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-182-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-181-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-180-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-179-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-178-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-177-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-176-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-155-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-132-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-137-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-138-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-139-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-140-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-141-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-142-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-143-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-144-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-145-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-146-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-147-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-148-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-149-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-150-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-151-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-152-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-153-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-154-0x000000007EF70000-0x000000007F341000-memory.dmp

Filesize
3.8MB

Download
memory/2496-117-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-118-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-119-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-120-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-121-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-122-0x0000000000EF0000-0x000000000185A000-memory.dmp

Filesize
9.4MB

Download
memory/2496-123-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-212-0x0000000000EF0000-0x000000000185A000-memory.dmp

Filesize
9.4MB

Download
memory/2496-124-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-125-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-126-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-127-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-128-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-129-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-130-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-131-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-136-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-133-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-134-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-135-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-169-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-163-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-171-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-165-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-174-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-168-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-167-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-166-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-172-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-164-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-170-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-162-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-161-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-160-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-173-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-159-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-158-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-157-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads