fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d

General

Target

fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe
Size

6.1MB
MD5

0f90a76f612c57427247e6fc58199c01
SHA1

cc2a8b1817a28f4b11db5da9421dc25b1fae7fd9
SHA256

fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d
SHA512

86c697d7b438a340f70348d84e95a74c409cd3b18893fe93cfa596c4d0a388e7724db5b4390ab8a41d118613fe4e436604b8156c5a9a10ecda7b75bfd9ec789c
SSDEEP

98304:XCmxx1xZ+FQtfSS7abWRh9nPew74lyOA45uQawmDHeBuKO:ymxx1xJFSEzRDGplqkjaw8+EP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
956	SearchFilterHost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe
1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe
956	SearchFilterHost.exe
956	SearchFilterHost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1192	1672	WerFault.exe	26

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2020	schtasks.exe
1500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe
956	SearchFilterHost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2020	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	27
PID 1672 wrote to memory of 2020	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	27
PID 1672 wrote to memory of 2020	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	27
PID 1672 wrote to memory of 2020	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	27
PID 1672 wrote to memory of 944	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	29
PID 1672 wrote to memory of 944	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	29
PID 1672 wrote to memory of 944	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	29
PID 1672 wrote to memory of 944	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	29
PID 1672 wrote to memory of 1192	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	32
PID 1672 wrote to memory of 1192	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	32
PID 1672 wrote to memory of 1192	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	32
PID 1672 wrote to memory of 1192	1672	fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe	32
PID 384 wrote to memory of 956	384	taskeng.exe	34
PID 384 wrote to memory of 956	384	taskeng.exe	34
PID 384 wrote to memory of 956	384	taskeng.exe	34
PID 384 wrote to memory of 956	384	taskeng.exe	34

C:\Users\Admin\AppData\Local\Temp\fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe
"C:\Users\Admin\AppData\Local\Temp\fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Microsoft Windows Search Filter Host{A2S3C4V5G2S2-H5F4S2B6-N7F3S2A1H5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\SearchFilterHost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2020
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Microsoft Windows Search Filter Host{A2S3C4V5G2S2-H5F4S2B6-N7F3S2A1H5}"
  2⤵
  PID:944
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Microsoft Windows Search Filter Host{A2S3C4V5G2S2-H5F4S2B6-N7F3S2A1H5}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\24357587698645335"
  2⤵
  - Creates scheduled task(s)
  PID:1500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 192
  2⤵
  - Program crash
  PID:1192

C:\Windows\system32\taskeng.exe
taskeng.exe {AC4E3192-5811-4560-AD4B-C2FCEA3D7E5C} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\SearchFilterHost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\SearchFilterHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\SearchFilterHost.exe

Filesize
6.1MB

MD5
0f90a76f612c57427247e6fc58199c01

SHA1
cc2a8b1817a28f4b11db5da9421dc25b1fae7fd9

SHA256
fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d

SHA512
86c697d7b438a340f70348d84e95a74c409cd3b18893fe93cfa596c4d0a388e7724db5b4390ab8a41d118613fe4e436604b8156c5a9a10ecda7b75bfd9ec789c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\SearchFilterHost.exe

Filesize
6.1MB

MD5
0f90a76f612c57427247e6fc58199c01

SHA1
cc2a8b1817a28f4b11db5da9421dc25b1fae7fd9

SHA256
fe5cbbc7952b92849803b4c7dc9f8fe5a605517f5b277304275291011930638d

SHA512
86c697d7b438a340f70348d84e95a74c409cd3b18893fe93cfa596c4d0a388e7724db5b4390ab8a41d118613fe4e436604b8156c5a9a10ecda7b75bfd9ec789c

Download Submit
memory/956-64-0x0000000000400000-0x0000000000D79000-memory.dmp

Filesize
9.5MB

Download
memory/956-65-0x0000000000400000-0x0000000000D79000-memory.dmp

Filesize
9.5MB

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000000400000-0x0000000000D79000-memory.dmp

Filesize
9.5MB

Download
memory/1672-57-0x0000000000400000-0x0000000000D79000-memory.dmp

Filesize
9.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads