9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354

General

Target

9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
Size

362KB
MD5

cd8fe619d7599207aca53f10348cfb83
SHA1

344c231e4e6ddb37565951234ed64db4e71f6c6b
SHA256

9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354
SHA512

7a7625316b2387f659b417bb525093b47058b2cf2b108678bc62ad154a4ab887771641745bae03c9292acb57c3ebff6ae3ed4e17868e4f9b37a7672b907aa81c
SSDEEP

6144:H7UU2Ffp6gBmmJQaK6HcprAga+13pFjlGLa9z/Z0nL1uk4QMHYt5fH:H7U36mvmrAIpXGkI4Q6Yt5v

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 564 set thread context of 1924	564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	28

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
Token: SeDebugPrivilege	1924	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 1924	564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	28
PID 564 wrote to memory of 1924	564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	28
PID 564 wrote to memory of 1924	564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	28
PID 564 wrote to memory of 1924	564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	28
PID 564 wrote to memory of 1924	564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	28
PID 564 wrote to memory of 1924	564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	28
PID 564 wrote to memory of 1924	564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	28
PID 564 wrote to memory of 1924	564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	28
PID 564 wrote to memory of 1924	564	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	28
PID 1924 wrote to memory of 1968	1924	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	29
PID 1924 wrote to memory of 1968	1924	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	29
PID 1924 wrote to memory of 1968	1924	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	29
PID 1924 wrote to memory of 1968	1924	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	29
PID 1968 wrote to memory of 1664	1968	cmd.exe	31
PID 1968 wrote to memory of 1664	1968	cmd.exe	31
PID 1968 wrote to memory of 1664	1968	cmd.exe	31
PID 1968 wrote to memory of 1664	1968	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
"C:\Users\Admin\AppData\Local\Temp\9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
  "C:\Users\Admin\AppData\Local\Temp\9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /tn \cIVjqALJut /tr "C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \cIVjqALJut /tr "C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      4⤵
      Creates scheduled task(s)
      PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-54-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/564-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/564-56-0x0000000000910000-0x0000000000940000-memory.dmp

Filesize
192KB

Download
memory/564-57-0x0000000000A30000-0x0000000000A48000-memory.dmp

Filesize
96KB

Download
memory/564-58-0x0000000000C20000-0x0000000000C3A000-memory.dmp

Filesize
104KB

Download
memory/564-59-0x0000000004200000-0x0000000004206000-memory.dmp

Filesize
24KB

Download
memory/1924-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1924-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1924-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1924-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1924-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1924-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1924-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads