876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04

Analysis

max time kernel
291s
max time network
295s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe
Size

4.8MB
MD5

80750ddfb5cfe9eb8e2adac60f372534
SHA1

a720efe2b3ef7735efd77de698a5576b36068d07
SHA256

876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04
SHA512

bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f
SSDEEP

49152:RAM2vrGxtRJHHc1RmqAhaShRgdGMYYqWxvdTBB0IEqYjla27EdS5g+A:mMgGxtU1RmqA3xsquvPEdZi+A

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3976	svcupdater.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3996	schtasks.exe

GoLang User-Agent 5 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	4	Go-http-client/1.1
HTTP User-Agent header	7	Go-http-client/1.1
HTTP User-Agent header	8	Go-http-client/1.1
HTTP User-Agent header	10	Go-http-client/1.1
HTTP User-Agent header	11	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 3512	2712	876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe	66
PID 2712 wrote to memory of 3512	2712	876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe	66
PID 3512 wrote to memory of 3996	3512	cmd.exe	68
PID 3512 wrote to memory of 3996	3512	cmd.exe	68

C:\Users\Admin\AppData\Local\Temp\876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe
"C:\Users\Admin\AppData\Local\Temp\876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\cmd.exe
  cmd.exe "/C schtasks /create /tn \kBqZwNWVQe /tr \"C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \kBqZwNWVQe /tr \"C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
    3⤵
    - Creates scheduled task(s)
    PID:3996

C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe
C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe
1⤵
- Executes dropped EXE
PID:3976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe

Filesize
4.8MB

MD5
80750ddfb5cfe9eb8e2adac60f372534

SHA1
a720efe2b3ef7735efd77de698a5576b36068d07

SHA256
876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04

SHA512
bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f

Download Submit
C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe

Filesize
4.8MB

MD5
80750ddfb5cfe9eb8e2adac60f372534

SHA1
a720efe2b3ef7735efd77de698a5576b36068d07

SHA256
876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04

SHA512
bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads