873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42

Analysis

max time kernel
163s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:51

Target

873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42.exe
Size

4.6MB
MD5

c427b08548edc2deef70da3c60855d54
SHA1

7c2d7499133cc80b28e782659e80fb34b1f6eaef
SHA256

873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42
SHA512

cd153f47cc205d8ff84e3cf4194f0d79527e98ac43a089fcfce798d9262e9d3cc44b81aa78a6e6e993b3dd147021603590f73da7f8a87742dcec1ab9f19b2436
SSDEEP

49152:d/7Fssv0KaUhzp+Z9vAaE5FKY/t764UzLUA/AOiyjrbsnnzvSn9r8PN/+9njVVn+:d5sypV+Zp4UzJ/TknzpG9XOY

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

BiPVblzpeN.exe

pid process

1744 BiPVblzpeN.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4432 schtasks.exe

pid	process
1744	BiPVblzpeN.exe

pid	process
4432	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42.execmd.exe

description	pid	process	target process
PID 4548 wrote to memory of 1676	4548	873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42.exe	cmd.exe
PID 4548 wrote to memory of 1676	4548	873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42.exe	cmd.exe
PID 4548 wrote to memory of 1676	4548	873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42.exe	cmd.exe
PID 1676 wrote to memory of 4432	1676	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 4432	1676	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 4432	1676	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42.exe
"C:\Users\Admin\AppData\Local\Temp\873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C schtasks /create /tn qYbPaHSINu /tr C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn qYbPaHSINu /tr C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:4432

C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe
C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe
1⤵
- Executes dropped EXE
PID:1744

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe

Filesize
7.5MB

MD5
e91568a1bbf900cfac4a7a29b1b57c86

SHA1
6e6a677894c453272e9ff7dde66488b8d79f41f5

SHA256
605ffd6751a4fd12f6dd3b28cd7666d32d801d2f3569eae2f5a6de58e1dd2690

SHA512
ef6aea696a407b2a49306381f96f89c6846cc6d36707877eb4a43d4924ffddeb8dbd54e3c199d287674eed43f8930e5197fd6da1b21712c7b0a5993ed0b4ccdb

Download Submit
C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe

Filesize
8.5MB

MD5
31d8b17dec6c021001a400167b0bab80

SHA1
96411b4de7b0d50db5bf532c62e6420939104719

SHA256
5f4f9b208148885c9a4ac4c8c27d7a8150af6958977581defea5c0d2992b38dc

SHA512
09eb7f1499b484825965019026394ac0c7d7c52e0cb191db1e0b82a8da1fac55f8ac73c1a9bb7c8b795f9221551928cfc5e1e0669ff5dcd4fedbd4e0af8264fa

Download Submit
memory/1676-132-0x0000000000000000-mapping.dmp

Download
memory/4432-133-0x0000000000000000-mapping.dmp

Download