0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3

General

Target

0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe
Size

6.0MB
MD5

88e6deee81ba6c70e517b7b4dcf56b5e
SHA1

ba7c697fe8cab422e273115383a607dcdaf40079
SHA256

0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3
SHA512

3dca60a81d2871e2005fe0413b04d1ea60a88ed75e149a57628dad2693248797e2e1dece4b680855bd739e95168bc091be39673d60ef9439793c9afe49761ee6
SSDEEP

196608:K9j+W0x7IFcfMq7U4D6VR2hX0b3h/QQn:K9D0x1Mq7Us6VR2hX0NYQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1096	TSTheme.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
920	0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe
920	0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe
1096	TSTheme.exe
1096	TSTheme.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
872	schtasks.exe
1544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
920	0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe
1096	TSTheme.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 872	920	0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe	27
PID 920 wrote to memory of 872	920	0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe	27
PID 920 wrote to memory of 872	920	0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe	27
PID 920 wrote to memory of 872	920	0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe	27
PID 920 wrote to memory of 2040	920	0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe	29
PID 920 wrote to memory of 2040	920	0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe	29
PID 920 wrote to memory of 2040	920	0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe	29
PID 920 wrote to memory of 2040	920	0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe	29
PID 1424 wrote to memory of 1096	1424	taskeng.exe	32
PID 1424 wrote to memory of 1096	1424	taskeng.exe	32
PID 1424 wrote to memory of 1096	1424	taskeng.exe	32
PID 1424 wrote to memory of 1096	1424	taskeng.exe	32
PID 1096 wrote to memory of 1544	1096	TSTheme.exe	33
PID 1096 wrote to memory of 1544	1096	TSTheme.exe	33
PID 1096 wrote to memory of 1544	1096	TSTheme.exe	33
PID 1096 wrote to memory of 1544	1096	TSTheme.exe	33

C:\Users\Admin\AppData\Local\Temp\0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe
"C:\Users\Admin\AppData\Local\Temp\0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe"
  2⤵
  - Creates scheduled task(s)
  PID:872
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}"
  2⤵
  PID:2040

C:\Windows\system32\taskeng.exe
taskeng.exe {BE1DD9B1-FA80-419C-BB94-C441EC2B7589} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 5 /tn "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe

Filesize
6.0MB

MD5
88e6deee81ba6c70e517b7b4dcf56b5e

SHA1
ba7c697fe8cab422e273115383a607dcdaf40079

SHA256
0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3

SHA512
3dca60a81d2871e2005fe0413b04d1ea60a88ed75e149a57628dad2693248797e2e1dece4b680855bd739e95168bc091be39673d60ef9439793c9afe49761ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe

Filesize
6.0MB

MD5
88e6deee81ba6c70e517b7b4dcf56b5e

SHA1
ba7c697fe8cab422e273115383a607dcdaf40079

SHA256
0b676a206b26be5c6aa5caa6beea20c14889f15cdc58d8c39c520807382a86d3

SHA512
3dca60a81d2871e2005fe0413b04d1ea60a88ed75e149a57628dad2693248797e2e1dece4b680855bd739e95168bc091be39673d60ef9439793c9afe49761ee6

Download Submit
memory/920-60-0x0000000000400000-0x0000000000D69000-memory.dmp

Filesize
9.4MB

Download
memory/920-57-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/920-58-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/920-59-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/920-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/920-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/920-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1096-68-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1096-69-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1096-71-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1096-72-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1096-73-0x0000000000400000-0x0000000000D69000-memory.dmp

Filesize
9.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads