873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 12:31

Target

c427b08548edc2deef70da3c60855d54.exe
Size

4.6MB
MD5

c427b08548edc2deef70da3c60855d54
SHA1

7c2d7499133cc80b28e782659e80fb34b1f6eaef
SHA256

873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42
SHA512

cd153f47cc205d8ff84e3cf4194f0d79527e98ac43a089fcfce798d9262e9d3cc44b81aa78a6e6e993b3dd147021603590f73da7f8a87742dcec1ab9f19b2436
SSDEEP

49152:d/7Fssv0KaUhzp+Z9vAaE5FKY/t764UzLUA/AOiyjrbsnnzvSn9r8PN/+9njVVn+:d5sypV+Zp4UzJ/TknzpG9XOY

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

BiPVblzpeN.exe

pid process

528 BiPVblzpeN.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4352 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 20 Go-http-client/1.1

pid	process
528	BiPVblzpeN.exe

pid	process
4352	schtasks.exe

description	flow	ioc
HTTP User-Agent header	20	Go-http-client/1.1

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c427b08548edc2deef70da3c60855d54.execmd.exe

description	pid	process	target process
PID 2492 wrote to memory of 2052	2492	c427b08548edc2deef70da3c60855d54.exe	cmd.exe
PID 2492 wrote to memory of 2052	2492	c427b08548edc2deef70da3c60855d54.exe	cmd.exe
PID 2492 wrote to memory of 2052	2492	c427b08548edc2deef70da3c60855d54.exe	cmd.exe
PID 2052 wrote to memory of 4352	2052	cmd.exe	schtasks.exe
PID 2052 wrote to memory of 4352	2052	cmd.exe	schtasks.exe
PID 2052 wrote to memory of 4352	2052	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c427b08548edc2deef70da3c60855d54.exe
"C:\Users\Admin\AppData\Local\Temp\c427b08548edc2deef70da3c60855d54.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C schtasks /create /tn qYbPaHSINu /tr C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn qYbPaHSINu /tr C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:4352

C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe
C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe
1⤵
- Executes dropped EXE
PID:528

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe
Filesize
735.6MB

MD5
4cbd9eccc7e1e72de068467877087164

SHA1
3863f218ca2f1120af8300f7f4a1426b9be48d7a

SHA256
fe7e9bec3e16caf3d35c5f762018d833e9b2c47d67f01c58b996a331b20a5e0d

SHA512
4b28f5fbe8f0d3b986abfca4231392056a46d4ba73847707b14c42540c5a5d7df47aa7fa64a60cbbf43ed77e138bfa23128295821d95a004cdf790de302fac6e

Download Submit
C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe
Filesize
735.6MB

MD5
4cbd9eccc7e1e72de068467877087164

SHA1
3863f218ca2f1120af8300f7f4a1426b9be48d7a

SHA256
fe7e9bec3e16caf3d35c5f762018d833e9b2c47d67f01c58b996a331b20a5e0d

SHA512
4b28f5fbe8f0d3b986abfca4231392056a46d4ba73847707b14c42540c5a5d7df47aa7fa64a60cbbf43ed77e138bfa23128295821d95a004cdf790de302fac6e

Download Submit
memory/2052-132-0x0000000000000000-mapping.dmp

Download
memory/4352-133-0x0000000000000000-mapping.dmp

Download