dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe

General

Target

dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe
Size

6.1MB
MD5

917705dd2cbe49fdc73e02a1a4c72028
SHA1

1646aa0966f02eb72f0abd62ac0095db0d6d7e4f
SHA256

dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe
SHA512

ca5f3894cd85a79c56e7203f9b95476d03fb10d8c87f544def5193f60649ed8d5d2dcf1f0853fb8a72648280397cbb6a908e285c9436fca69852c3fdf81b28f2
SSDEEP

196608:tF36cDVpvIoR9ALI9mQgQsiuerZnAS4Um:tpfDHIojBu6ZnR4U

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1000	SearchFilterHost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe
1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe
1000	SearchFilterHost.exe
1000	SearchFilterHost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
852	1460	WerFault.exe	27

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1988	schtasks.exe
1540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe
1000	SearchFilterHost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1988	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	28
PID 1460 wrote to memory of 1988	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	28
PID 1460 wrote to memory of 1988	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	28
PID 1460 wrote to memory of 1988	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	28
PID 1460 wrote to memory of 856	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	30
PID 1460 wrote to memory of 856	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	30
PID 1460 wrote to memory of 856	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	30
PID 1460 wrote to memory of 856	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	30
PID 1460 wrote to memory of 852	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	33
PID 1460 wrote to memory of 852	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	33
PID 1460 wrote to memory of 852	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	33
PID 1460 wrote to memory of 852	1460	dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe	33
PID 1704 wrote to memory of 1000	1704	taskeng.exe	35
PID 1704 wrote to memory of 1000	1704	taskeng.exe	35
PID 1704 wrote to memory of 1000	1704	taskeng.exe	35
PID 1704 wrote to memory of 1000	1704	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe
"C:\Users\Admin\AppData\Local\Temp\dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Microsoft Windows Search Filter Host{A2S3C4V5G2S2-H5F4S2B6-N7F3S2A1H5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\SearchFilterHost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1988
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Microsoft Windows Search Filter Host{A2S3C4V5G2S2-H5F4S2B6-N7F3S2A1H5}"
  2⤵
  PID:856
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Microsoft Windows Search Filter Host{A2S3C4V5G2S2-H5F4S2B6-N7F3S2A1H5}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\24357587698645335"
  2⤵
  - Creates scheduled task(s)
  PID:1540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 192
  2⤵
  - Program crash
  PID:852

C:\Windows\system32\taskeng.exe
taskeng.exe {3D101C27-5D9A-4817-BDC2-C8EF16804F04} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\SearchFilterHost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\SearchFilterHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\SearchFilterHost.exe

Filesize
6.1MB

MD5
917705dd2cbe49fdc73e02a1a4c72028

SHA1
1646aa0966f02eb72f0abd62ac0095db0d6d7e4f

SHA256
dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe

SHA512
ca5f3894cd85a79c56e7203f9b95476d03fb10d8c87f544def5193f60649ed8d5d2dcf1f0853fb8a72648280397cbb6a908e285c9436fca69852c3fdf81b28f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SearchFilterHost\SearchFilterHost.exe

Filesize
6.1MB

MD5
917705dd2cbe49fdc73e02a1a4c72028

SHA1
1646aa0966f02eb72f0abd62ac0095db0d6d7e4f

SHA256
dcbec7b1eeba2de23c87b2c44539b4a2421d880ff0fd2d66194a906dc73cc1fe

SHA512
ca5f3894cd85a79c56e7203f9b95476d03fb10d8c87f544def5193f60649ed8d5d2dcf1f0853fb8a72648280397cbb6a908e285c9436fca69852c3fdf81b28f2

Download Submit
memory/852-59-0x0000000000000000-mapping.dmp

Download
memory/856-58-0x0000000000000000-mapping.dmp

Download
memory/1000-61-0x0000000000000000-mapping.dmp

Download
memory/1000-64-0x0000000000400000-0x0000000000D7D000-memory.dmp

Filesize
9.5MB

Download
memory/1000-65-0x0000000000400000-0x0000000000D7D000-memory.dmp

Filesize
9.5MB

Download
memory/1000-66-0x0000000000400000-0x0000000000D7D000-memory.dmp

Filesize
9.5MB

Download
memory/1460-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1460-55-0x0000000000400000-0x0000000000D7D000-memory.dmp

Filesize
9.5MB

Download
memory/1460-57-0x0000000000400000-0x0000000000D7D000-memory.dmp

Filesize
9.5MB

Download
memory/1988-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads