6ef69ab2ed264d672bada67465c1287c3bfea8c7723ce33fcf742742080ed76c

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7f3aff30b133321d3c507753d421d31.exe
Size

5.4MB
MD5

c7f3aff30b133321d3c507753d421d31
SHA1

3776c814fd2adef5784795dd645bd8feedf81b90
SHA256

6ef69ab2ed264d672bada67465c1287c3bfea8c7723ce33fcf742742080ed76c
SHA512

be055948bd7d3b14d2107867fb931c0285bb882c99101d79c00be6830e99bd7813bdf7c7b4835d7371e64d6461e3c4a167ac68461ecf9548d5e8f8387c5e007e
SSDEEP

98304:nrQmgcbtAg2kfiTtgjecT/HuCEhlxy9VWMea/o/75ntv0r/nS1QPLDFNE:nrQYbtAgx4SlT/pErxcV67ptvyLDPE

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
856	4844	WerFault.exe	81

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4808	schtasks.exe
5004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4844	c7f3aff30b133321d3c507753d421d31.exe
4844	c7f3aff30b133321d3c507753d421d31.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4808	4844	c7f3aff30b133321d3c507753d421d31.exe	82
PID 4844 wrote to memory of 4808	4844	c7f3aff30b133321d3c507753d421d31.exe	82
PID 4844 wrote to memory of 4808	4844	c7f3aff30b133321d3c507753d421d31.exe	82
PID 4844 wrote to memory of 5084	4844	c7f3aff30b133321d3c507753d421d31.exe	84
PID 4844 wrote to memory of 5084	4844	c7f3aff30b133321d3c507753d421d31.exe	84
PID 4844 wrote to memory of 5084	4844	c7f3aff30b133321d3c507753d421d31.exe	84
PID 4844 wrote to memory of 5004	4844	c7f3aff30b133321d3c507753d421d31.exe	86
PID 4844 wrote to memory of 5004	4844	c7f3aff30b133321d3c507753d421d31.exe	86
PID 4844 wrote to memory of 5004	4844	c7f3aff30b133321d3c507753d421d31.exe	86

C:\Users\Admin\AppData\Local\Temp\c7f3aff30b133321d3c507753d421d31.exe
"C:\Users\Admin\AppData\Local\Temp\c7f3aff30b133321d3c507753d421d31.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Program Compatibility Assistant User Interface{J4G6S2G5EF4N4-J4Y7E3H5D7-G4J7S3X2N4F4}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Program Compatibility Assistant\pcaUI.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4808
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Program Compatibility Assistant User Interface{J4G6S2G5EF4N4-J4Y7E3H5D7-G4J7S3X2N4F4}"
  2⤵
  PID:5084
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Program Compatibility Assistant User Interface{J4G6S2G5EF4N4-J4Y7E3H5D7-G4J7S3X2N4F4}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Program Compatibility Assistant\47658327589327590845"
  2⤵
  - Creates scheduled task(s)
  PID:5004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 568
  2⤵
  - Program crash
  PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4844 -ip 4844
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Program Compatibility Assistant\47658327589327590845

Filesize
1KB

MD5
a7a87c14ed51cbe352ad20f02eba63a8

SHA1
ab027d40e48df5b7b4d6359f070dbfba3deca668

SHA256
50a71c51325cfeb6b8773388c03d15ac5117a951213cb835e7daca01c5825df0

SHA512
8aceb031106cd9b68807c196bdc102cf1979db1e63788cc768b135809e540b995f7d37dd40dd0bd67e33b2ca58d1e0bf19326ac085c09831074245339809dad2

Download Submit
memory/4844-132-0x0000000000400000-0x0000000000C66000-memory.dmp

Filesize
8.4MB

Download
memory/4844-133-0x0000000000400000-0x0000000000C66000-memory.dmp

Filesize
8.4MB

Download
memory/4844-138-0x0000000000400000-0x0000000000C66000-memory.dmp

Filesize
8.4MB

Download