30fd97d7a9a59e477fb3c5f2fcd09c847916862951f4493655515f493fda6352

General

Target

a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe
Size

3.4MB
MD5

0349e342af5e3cf743ce2175323ac62b
SHA1

e211bcd37e233a07324419ca908f23c0cbfe658f
SHA256

a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4
SHA512

1b4c84c96fc2391916715ebdaf4634b0c1b123e075f5ade99ccf903406e48605c6b5a4d29c7cc15585866604ae1d97af6813a25155be1ccb95e69bb8c2967374
SSDEEP

98304:wivAmOlajnlMgF1X82Z+TArRschrFNyQFLOAkGkzdnEVomFHKnPe:w/KlMgDvrFNyQFLOyomFHKnPe

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 14 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

flow	pid	process
1	1992	rundll32.exe
1	1992	rundll32.exe
3	1764	rundll32.exe
1	1992	rundll32.exe
3	1764	rundll32.exe
1	1992	rundll32.exe
3	1764	rundll32.exe
4	1192	rundll32.exe
1	1992	rundll32.exe
3	1764	rundll32.exe
4	1192	rundll32.exe
1	1992	rundll32.exe
3	1764	rundll32.exe
4	1192	rundll32.exe

Executes dropped EXE 2 IoCs

Processes:

WUDFHost32.exeWUDFHost32.exe

pid process

1356 WUDFHost32.exe
992 WUDFHost32.exe

pid	process
1356	WUDFHost32.exe
992	WUDFHost32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exeWUDFHost32.exeWUDFHost32.exe

description	pid	process	target process
PID 1696 set thread context of 1992	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	rundll32.exe
PID 1356 set thread context of 1764	1356	WUDFHost32.exe	rundll32.exe
PID 992 set thread context of 1192	992	WUDFHost32.exe	rundll32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1768 schtasks.exe
1476 schtasks.exe
940 schtasks.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exeWUDFHost32.exeWUDFHost32.exe

pid process

1696 a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe
1356 WUDFHost32.exe
992 WUDFHost32.exe

pid	process
1768	schtasks.exe
1476	schtasks.exe
940	schtasks.exe

pid	process
1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe
1356	WUDFHost32.exe
992	WUDFHost32.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exetaskeng.exeWUDFHost32.exeWUDFHost32.exe

description	pid	process	target process
PID 1696 wrote to memory of 940	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	schtasks.exe
PID 1696 wrote to memory of 940	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	schtasks.exe
PID 1696 wrote to memory of 940	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	schtasks.exe
PID 1696 wrote to memory of 940	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	schtasks.exe
PID 1696 wrote to memory of 1992	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	rundll32.exe
PID 1696 wrote to memory of 1992	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	rundll32.exe
PID 1696 wrote to memory of 1992	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	rundll32.exe
PID 1696 wrote to memory of 1992	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	rundll32.exe
PID 1696 wrote to memory of 1992	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	rundll32.exe
PID 1696 wrote to memory of 1992	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	rundll32.exe
PID 1696 wrote to memory of 1992	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	rundll32.exe
PID 1696 wrote to memory of 1992	1696	a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe	rundll32.exe
PID 320 wrote to memory of 1356	320	taskeng.exe	WUDFHost32.exe
PID 320 wrote to memory of 1356	320	taskeng.exe	WUDFHost32.exe
PID 320 wrote to memory of 1356	320	taskeng.exe	WUDFHost32.exe
PID 320 wrote to memory of 1356	320	taskeng.exe	WUDFHost32.exe
PID 1356 wrote to memory of 1768	1356	WUDFHost32.exe	schtasks.exe
PID 1356 wrote to memory of 1768	1356	WUDFHost32.exe	schtasks.exe
PID 1356 wrote to memory of 1768	1356	WUDFHost32.exe	schtasks.exe
PID 1356 wrote to memory of 1768	1356	WUDFHost32.exe	schtasks.exe
PID 1356 wrote to memory of 1764	1356	WUDFHost32.exe	rundll32.exe
PID 1356 wrote to memory of 1764	1356	WUDFHost32.exe	rundll32.exe
PID 1356 wrote to memory of 1764	1356	WUDFHost32.exe	rundll32.exe
PID 1356 wrote to memory of 1764	1356	WUDFHost32.exe	rundll32.exe
PID 1356 wrote to memory of 1764	1356	WUDFHost32.exe	rundll32.exe
PID 1356 wrote to memory of 1764	1356	WUDFHost32.exe	rundll32.exe
PID 1356 wrote to memory of 1764	1356	WUDFHost32.exe	rundll32.exe
PID 1356 wrote to memory of 1764	1356	WUDFHost32.exe	rundll32.exe
PID 320 wrote to memory of 992	320	taskeng.exe	WUDFHost32.exe
PID 320 wrote to memory of 992	320	taskeng.exe	WUDFHost32.exe
PID 320 wrote to memory of 992	320	taskeng.exe	WUDFHost32.exe
PID 320 wrote to memory of 992	320	taskeng.exe	WUDFHost32.exe
PID 992 wrote to memory of 1476	992	WUDFHost32.exe	schtasks.exe
PID 992 wrote to memory of 1476	992	WUDFHost32.exe	schtasks.exe
PID 992 wrote to memory of 1476	992	WUDFHost32.exe	schtasks.exe
PID 992 wrote to memory of 1476	992	WUDFHost32.exe	schtasks.exe
PID 992 wrote to memory of 1192	992	WUDFHost32.exe	rundll32.exe
PID 992 wrote to memory of 1192	992	WUDFHost32.exe	rundll32.exe
PID 992 wrote to memory of 1192	992	WUDFHost32.exe	rundll32.exe
PID 992 wrote to memory of 1192	992	WUDFHost32.exe	rundll32.exe
PID 992 wrote to memory of 1192	992	WUDFHost32.exe	rundll32.exe
PID 992 wrote to memory of 1192	992	WUDFHost32.exe	rundll32.exe
PID 992 wrote to memory of 1192	992	WUDFHost32.exe	rundll32.exe
PID 992 wrote to memory of 1192	992	WUDFHost32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe
"C:\Users\Admin\AppData\Local\Temp\a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /sc minute /mo 1 /tn "System" /tr C:\Users\Admin\AppData\Local\Temp\WUDFHost32.exe
2⤵
- Creates scheduled task(s)
PID:940

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
2⤵
- Blocklisted process makes network request
PID:1992

C:\Windows\system32\taskeng.exe
taskeng.exe {8141CB5E-4609-4A22-85BD-3651B3C4EFD9} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Temp\WUDFHost32.exe
C:\Users\Admin\AppData\Local\Temp\WUDFHost32.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /sc minute /mo 1 /tn "System" /tr C:\Users\Admin\AppData\Local\Temp\WUDFHost32.exe
3⤵
- Creates scheduled task(s)
PID:1768

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
3⤵
- Blocklisted process makes network request
PID:1764

C:\Users\Admin\AppData\Local\Temp\WUDFHost32.exe
C:\Users\Admin\AppData\Local\Temp\WUDFHost32.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /sc minute /mo 1 /tn "System" /tr C:\Users\Admin\AppData\Local\Temp\WUDFHost32.exe
3⤵
- Creates scheduled task(s)
PID:1476

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
3⤵
- Blocklisted process makes network request
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WUDFHost32.exe

Filesize
3.4MB

MD5
0349e342af5e3cf743ce2175323ac62b

SHA1
e211bcd37e233a07324419ca908f23c0cbfe658f

SHA256
a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4

SHA512
1b4c84c96fc2391916715ebdaf4634b0c1b123e075f5ade99ccf903406e48605c6b5a4d29c7cc15585866604ae1d97af6813a25155be1ccb95e69bb8c2967374

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUDFHost32.exe

Filesize
3.4MB

MD5
0349e342af5e3cf743ce2175323ac62b

SHA1
e211bcd37e233a07324419ca908f23c0cbfe658f

SHA256
a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4

SHA512
1b4c84c96fc2391916715ebdaf4634b0c1b123e075f5ade99ccf903406e48605c6b5a4d29c7cc15585866604ae1d97af6813a25155be1ccb95e69bb8c2967374

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUDFHost32.exe

Filesize
3.4MB

MD5
0349e342af5e3cf743ce2175323ac62b

SHA1
e211bcd37e233a07324419ca908f23c0cbfe658f

SHA256
a28bd9e9f52e49517ca692f5e24733a15c0832fb823d767e699f0656bbd7f3f4

SHA512
1b4c84c96fc2391916715ebdaf4634b0c1b123e075f5ade99ccf903406e48605c6b5a4d29c7cc15585866604ae1d97af6813a25155be1ccb95e69bb8c2967374

Download Submit
memory/940-55-0x0000000000000000-mapping.dmp

Download
memory/992-65-0x0000000000000000-mapping.dmp

Download
memory/1192-69-0x0000000000EA178C-mapping.dmp

Download
memory/1356-59-0x0000000000000000-mapping.dmp

Download
memory/1476-68-0x0000000000000000-mapping.dmp

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1764-63-0x0000000000EA178C-mapping.dmp

Download
memory/1768-62-0x0000000000000000-mapping.dmp

Download
memory/1992-56-0x0000000000EA178C-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads