1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 11:23

Target

1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602.exe
Size

8KB
MD5

af944ff6ede6e544bd6910aa9b9180b3
SHA1

2274336ac45c75b32db66c9a8ca41013b5f76548
SHA256

1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602
SHA512

6142995db90d6811bf961ec2db4f8b13cc8f01d77b5f4edd4354287d3b813a97bd46bba891b2d3a21a44e2009b6b374af9a433a741fcc55818e1ce21638b308d
SSDEEP

96:7Z83yfYaodPyaH1EWo0UYDQGAhNdcMu4cybu8xOL3yfXYPznlV73AFRvaf2sP0M:7ZtPWyavUSAlRR3fYL37AFxaZ

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

svcupdater.exe

pid process

1028 svcupdater.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4824 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svcupdater.exe

description pid process

Token: SeDebugPrivilege 1028 svcupdater.exe

pid	process
1028	svcupdater.exe

pid	process
4824	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1028	svcupdater.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602.execmd.exe

description	pid	process	target process
PID 4888 wrote to memory of 3716	4888	1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602.exe	cmd.exe
PID 4888 wrote to memory of 3716	4888	1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602.exe	cmd.exe
PID 3716 wrote to memory of 4824	3716	cmd.exe	schtasks.exe
PID 3716 wrote to memory of 4824	3716	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602.exe
"C:\Users\Admin\AppData\Local\Temp\1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C schtasks /create /tn \kLfNdhbScV /tr "C:\Users\Admin\AppData\Roaming\kLfNdhbScV\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\system32\schtasks.exe
schtasks /create /tn \kLfNdhbScV /tr "C:\Users\Admin\AppData\Roaming\kLfNdhbScV\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:4824

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Roaming\kLfNdhbScV\svcupdater.exe
Filesize
535.1MB

MD5
c5210e983b00e51f3c03704275387d0e

SHA1
107aa766e0b0fffc90e4f51f5062b8efc86d907b

SHA256
ed982e12987e6371c6e2f76a4942dbf16e180d22415fe741890f8b9ef0a32088

SHA512
c0863fb18cfb0165a0bc1d90c49db3c9696b6441e433468b42750112debc9c35345bb3dc725bff4501db9faf062c88683cae0cf8133bdb171dd5b387a0176c5c

Download Submit
C:\Users\Admin\AppData\Roaming\kLfNdhbScV\svcupdater.exe
Filesize
535.0MB

MD5
61e6318d3ab3619dd1a96f4e69e16ddb

SHA1
02d267fe07754f42346125c07caa10db450cf517

SHA256
0cf305c4fa5bd7166a4383a2318e693dcede0e918710431f86e5223645e42110

SHA512
31686beeb5e6ecc4c40debd20ff8bb333c061ac9a6c5e79b2910c405e46cb902cd01c0eb0793a6861d476dabd0b64f7a19dfd9342fe80bd99cefbed2d5073618

Download Submit
memory/1028-140-0x00007FFAA3370000-0x00007FFAA3E31000-memory.dmp

Filesize
10.8MB

Download
memory/1028-141-0x00007FFAA3370000-0x00007FFAA3E31000-memory.dmp

Filesize
10.8MB

Download
memory/3716-135-0x0000000000000000-mapping.dmp

Download
memory/4824-136-0x0000000000000000-mapping.dmp

Download
memory/4888-132-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/4888-133-0x00007FFAA2D50000-0x00007FFAA3811000-memory.dmp

Filesize
10.8MB

Download
memory/4888-134-0x00007FFAA2D50000-0x00007FFAA3811000-memory.dmp

Filesize
10.8MB

Download
memory/4888-137-0x00007FFAA2D50000-0x00007FFAA3811000-memory.dmp

Filesize
10.8MB

Download