9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354

General

Target

9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
Size

362KB
MD5

cd8fe619d7599207aca53f10348cfb83
SHA1

344c231e4e6ddb37565951234ed64db4e71f6c6b
SHA256

9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354
SHA512

7a7625316b2387f659b417bb525093b47058b2cf2b108678bc62ad154a4ab887771641745bae03c9292acb57c3ebff6ae3ed4e17868e4f9b37a7672b907aa81c
SSDEEP

6144:H7UU2Ffp6gBmmJQaK6HcprAga+13pFjlGLa9z/Z0nL1uk4QMHYt5fH:H7U36mvmrAIpXGkI4Q6Yt5v

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4628	svcupdater.exe
3484	svcupdater.exe
3008	svcupdater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4740 set thread context of 2420	4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	82
PID 4628 set thread context of 3484	4628	svcupdater.exe	94

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
4628	svcupdater.exe
4628	svcupdater.exe
4628	svcupdater.exe
4628	svcupdater.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
Token: SeDebugPrivilege	2420	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
Token: SeDebugPrivilege	4628	svcupdater.exe
Token: SeDebugPrivilege	3484	svcupdater.exe
Token: SeDebugPrivilege	3008	svcupdater.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 2420	4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	82
PID 4740 wrote to memory of 2420	4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	82
PID 4740 wrote to memory of 2420	4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	82
PID 4740 wrote to memory of 2420	4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	82
PID 4740 wrote to memory of 2420	4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	82
PID 4740 wrote to memory of 2420	4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	82
PID 4740 wrote to memory of 2420	4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	82
PID 4740 wrote to memory of 2420	4740	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	82
PID 2420 wrote to memory of 1576	2420	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	90
PID 2420 wrote to memory of 1576	2420	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	90
PID 2420 wrote to memory of 1576	2420	9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe	90
PID 1576 wrote to memory of 2124	1576	cmd.exe	92
PID 1576 wrote to memory of 2124	1576	cmd.exe	92
PID 1576 wrote to memory of 2124	1576	cmd.exe	92
PID 4628 wrote to memory of 3484	4628	svcupdater.exe	94
PID 4628 wrote to memory of 3484	4628	svcupdater.exe	94
PID 4628 wrote to memory of 3484	4628	svcupdater.exe	94
PID 4628 wrote to memory of 3484	4628	svcupdater.exe	94
PID 4628 wrote to memory of 3484	4628	svcupdater.exe	94
PID 4628 wrote to memory of 3484	4628	svcupdater.exe	94
PID 4628 wrote to memory of 3484	4628	svcupdater.exe	94
PID 4628 wrote to memory of 3484	4628	svcupdater.exe	94

C:\Users\Admin\AppData\Local\Temp\9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
"C:\Users\Admin\AppData\Local\Temp\9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe
  "C:\Users\Admin\AppData\Local\Temp\9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /tn \cIVjqALJut /tr "C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \cIVjqALJut /tr "C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      4⤵
      Creates scheduled task(s)
      PID:2124

C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe
C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe
  "C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3484

C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe
C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354.exe.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svcupdater.exe.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe

Filesize
362KB

MD5
cd8fe619d7599207aca53f10348cfb83

SHA1
344c231e4e6ddb37565951234ed64db4e71f6c6b

SHA256
9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354

SHA512
7a7625316b2387f659b417bb525093b47058b2cf2b108678bc62ad154a4ab887771641745bae03c9292acb57c3ebff6ae3ed4e17868e4f9b37a7672b907aa81c

Download Submit
C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe

Filesize
362KB

MD5
cd8fe619d7599207aca53f10348cfb83

SHA1
344c231e4e6ddb37565951234ed64db4e71f6c6b

SHA256
9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354

SHA512
7a7625316b2387f659b417bb525093b47058b2cf2b108678bc62ad154a4ab887771641745bae03c9292acb57c3ebff6ae3ed4e17868e4f9b37a7672b907aa81c

Download Submit
C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe

Filesize
362KB

MD5
cd8fe619d7599207aca53f10348cfb83

SHA1
344c231e4e6ddb37565951234ed64db4e71f6c6b

SHA256
9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354

SHA512
7a7625316b2387f659b417bb525093b47058b2cf2b108678bc62ad154a4ab887771641745bae03c9292acb57c3ebff6ae3ed4e17868e4f9b37a7672b907aa81c

Download Submit
C:\Users\Admin\AppData\Roaming\cIVjqALJut\svcupdater.exe

Filesize
362KB

MD5
cd8fe619d7599207aca53f10348cfb83

SHA1
344c231e4e6ddb37565951234ed64db4e71f6c6b

SHA256
9b46704e3343d6dfde4d53500bffeba23aebff63a42bf96016b8114ba5f79354

SHA512
7a7625316b2387f659b417bb525093b47058b2cf2b108678bc62ad154a4ab887771641745bae03c9292acb57c3ebff6ae3ed4e17868e4f9b37a7672b907aa81c

Download Submit
memory/2420-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4628-144-0x0000000000F80000-0x0000000000FE0000-memory.dmp

Filesize
384KB

Download
memory/4740-132-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/4740-136-0x0000000006C80000-0x0000000006C8A000-memory.dmp

Filesize
40KB

Download
memory/4740-135-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/4740-134-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/4740-133-0x00000000057B0000-0x000000000584C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads