53b62ca42c37c8c147b9f338ed67c69ab1316c52190d0ee5729f741971377f94

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53b62ca42c37c8c147b9f338ed67c69ab1316c52190d0ee5729f741971377f94.exe
Size

2.2MB
MD5

ef49a68699e4afe250004503ef5504bd
SHA1

13d0dc63f5bbd7ff88c715d95e1b49a9d7783280
SHA256

53b62ca42c37c8c147b9f338ed67c69ab1316c52190d0ee5729f741971377f94
SHA512

c0de78ceaafb4377cacefbfbfeb4a70f2eaa151afbcc00d9fcb4dbdb048487a88df6d1732b879602a2273396a7d8cfdb9618aaa3237b2e4b1f4c1f69743fa4cc
SSDEEP

49152:DR7ZKbuMoZjRE41gn0tfSsFdCaJih2WKTATNa+69LVh9zOpN1m2Ib2yk3YG+I2:NF4uMWSwgnqfSsbBJiU/TAQv9LtzOBmH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lwYrQLZKNj.exe

pid process

460 lwYrQLZKNj.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3372 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 32 Go-http-client/1.1

pid	process
460	lwYrQLZKNj.exe

pid	process
3372	schtasks.exe

description	flow	ioc
HTTP User-Agent header	32	Go-http-client/1.1

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

53b62ca42c37c8c147b9f338ed67c69ab1316c52190d0ee5729f741971377f94.execmd.exe

description	pid	process	target process
PID 2816 wrote to memory of 2132	2816	53b62ca42c37c8c147b9f338ed67c69ab1316c52190d0ee5729f741971377f94.exe	cmd.exe
PID 2816 wrote to memory of 2132	2816	53b62ca42c37c8c147b9f338ed67c69ab1316c52190d0ee5729f741971377f94.exe	cmd.exe
PID 2816 wrote to memory of 2132	2816	53b62ca42c37c8c147b9f338ed67c69ab1316c52190d0ee5729f741971377f94.exe	cmd.exe
PID 2132 wrote to memory of 3372	2132	cmd.exe	schtasks.exe
PID 2132 wrote to memory of 3372	2132	cmd.exe	schtasks.exe
PID 2132 wrote to memory of 3372	2132	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\53b62ca42c37c8c147b9f338ed67c69ab1316c52190d0ee5729f741971377f94.exe
"C:\Users\Admin\AppData\Local\Temp\53b62ca42c37c8c147b9f338ed67c69ab1316c52190d0ee5729f741971377f94.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C schtasks /create /tn ZyXJEGMocf /tr C:\Users\Admin\AppData\Roaming\ZyXJEGMocf\lwYrQLZKNj.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn ZyXJEGMocf /tr C:\Users\Admin\AppData\Roaming\ZyXJEGMocf\lwYrQLZKNj.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:3372

C:\Users\Admin\AppData\Roaming\ZyXJEGMocf\lwYrQLZKNj.exe
C:\Users\Admin\AppData\Roaming\ZyXJEGMocf\lwYrQLZKNj.exe
1⤵
- Executes dropped EXE
PID:460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ZyXJEGMocf\lwYrQLZKNj.exe
Filesize
638.6MB

MD5
c1081ae5323040dc19302340ed6d4c93

SHA1
0614ccddd237d46d61bb154bb8c1878d0fa8443f

SHA256
ee4d8468104d33f5d91331c0570dc29a4c49140d183fb46680e79aa46d09e570

SHA512
98bd14a00e75a0d6ab789b352b8a64f413a9651915883e1375c3112e8aadd4342d152a0bc7c94654769f63173cf97e4a6093b4c71fc75774efda88bfe4079dac

Download Submit
C:\Users\Admin\AppData\Roaming\ZyXJEGMocf\lwYrQLZKNj.exe
Filesize
638.6MB

MD5
c1081ae5323040dc19302340ed6d4c93

SHA1
0614ccddd237d46d61bb154bb8c1878d0fa8443f

SHA256
ee4d8468104d33f5d91331c0570dc29a4c49140d183fb46680e79aa46d09e570

SHA512
98bd14a00e75a0d6ab789b352b8a64f413a9651915883e1375c3112e8aadd4342d152a0bc7c94654769f63173cf97e4a6093b4c71fc75774efda88bfe4079dac

Download Submit
memory/460-141-0x00000000026D3000-0x00000000028F2000-memory.dmp

Filesize
2.1MB

Download
memory/460-142-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/460-143-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2132-136-0x0000000000000000-mapping.dmp

Download
memory/2816-133-0x00000000028FF000-0x0000000002B1E000-memory.dmp

Filesize
2.1MB

Download
memory/2816-134-0x0000000002B20000-0x0000000002FB9000-memory.dmp

Filesize
4.6MB

Download
memory/2816-135-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2816-138-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/3372-137-0x0000000000000000-mapping.dmp

Download