8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2023 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe
Size

2.0MB
MD5

d32feea07c3d949c7813ed5f6d7036cd
SHA1

fd0df63680845e81288d7b52d48e5ae05ac04f1b
SHA256

8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806
SHA512

9144ef5d1264af8be42ff07e4a713cc250f17e66eedbe4c2607e62173d4ee19a6dde78efe321675b651098f48dc5b7cf6ca064b9bb93b54a5de69923b831b398
SSDEEP

6144:Vhr55q8OORH+QR3HbcEw1ljjjjjj8C8mqg2P:D59W0MjjjjjjrIgU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1272	svchost.exe
4480	svchost.exe
4812	svchost.exe
4272	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4376 set thread context of 1972	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	81
PID 1272 set thread context of 4480	1272	svchost.exe	97
PID 4812 set thread context of 4272	4812	svchost.exe	106

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
60	schtasks.exe
4768	schtasks.exe
1964	schtasks.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
4480	svchost.exe
4272	svchost.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 1972	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	81
PID 4376 wrote to memory of 1972	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	81
PID 4376 wrote to memory of 1972	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	81
PID 4376 wrote to memory of 1972	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	81
PID 4376 wrote to memory of 1972	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	81
PID 4376 wrote to memory of 1972	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	81
PID 4376 wrote to memory of 1972	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	81
PID 4376 wrote to memory of 1972	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	81
PID 4376 wrote to memory of 4328	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	82
PID 4376 wrote to memory of 4328	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	82
PID 4376 wrote to memory of 4328	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	82
PID 4376 wrote to memory of 1392	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	84
PID 4376 wrote to memory of 1392	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	84
PID 4376 wrote to memory of 1392	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	84
PID 1392 wrote to memory of 1964	1392	cmd.exe	86
PID 1392 wrote to memory of 1964	1392	cmd.exe	86
PID 1392 wrote to memory of 1964	1392	cmd.exe	86
PID 4376 wrote to memory of 1572	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	87
PID 4376 wrote to memory of 1572	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	87
PID 4376 wrote to memory of 1572	4376	8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe	87
PID 1272 wrote to memory of 4480	1272	svchost.exe	97
PID 1272 wrote to memory of 4480	1272	svchost.exe	97
PID 1272 wrote to memory of 4480	1272	svchost.exe	97
PID 1272 wrote to memory of 4480	1272	svchost.exe	97
PID 1272 wrote to memory of 4480	1272	svchost.exe	97
PID 1272 wrote to memory of 4480	1272	svchost.exe	97
PID 1272 wrote to memory of 4480	1272	svchost.exe	97
PID 1272 wrote to memory of 4480	1272	svchost.exe	97
PID 1272 wrote to memory of 2112	1272	svchost.exe	98
PID 1272 wrote to memory of 2112	1272	svchost.exe	98
PID 1272 wrote to memory of 2112	1272	svchost.exe	98
PID 1272 wrote to memory of 780	1272	svchost.exe	100
PID 1272 wrote to memory of 780	1272	svchost.exe	100
PID 1272 wrote to memory of 780	1272	svchost.exe	100
PID 780 wrote to memory of 60	780	cmd.exe	102
PID 780 wrote to memory of 60	780	cmd.exe	102
PID 780 wrote to memory of 60	780	cmd.exe	102
PID 1272 wrote to memory of 4396	1272	svchost.exe	103
PID 1272 wrote to memory of 4396	1272	svchost.exe	103
PID 1272 wrote to memory of 4396	1272	svchost.exe	103
PID 4812 wrote to memory of 4272	4812	svchost.exe	106
PID 4812 wrote to memory of 4272	4812	svchost.exe	106
PID 4812 wrote to memory of 4272	4812	svchost.exe	106
PID 4812 wrote to memory of 4272	4812	svchost.exe	106
PID 4812 wrote to memory of 4272	4812	svchost.exe	106
PID 4812 wrote to memory of 4272	4812	svchost.exe	106
PID 4812 wrote to memory of 4272	4812	svchost.exe	106
PID 4812 wrote to memory of 4272	4812	svchost.exe	106
PID 4812 wrote to memory of 2992	4812	svchost.exe	107
PID 4812 wrote to memory of 2992	4812	svchost.exe	107
PID 4812 wrote to memory of 2992	4812	svchost.exe	107
PID 4812 wrote to memory of 4256	4812	svchost.exe	109
PID 4812 wrote to memory of 4256	4812	svchost.exe	109
PID 4812 wrote to memory of 4256	4812	svchost.exe	109
PID 4256 wrote to memory of 4768	4256	cmd.exe	111
PID 4256 wrote to memory of 4768	4256	cmd.exe	111
PID 4256 wrote to memory of 4768	4256	cmd.exe	111
PID 4812 wrote to memory of 5092	4812	svchost.exe	112
PID 4812 wrote to memory of 5092	4812	svchost.exe	112
PID 4812 wrote to memory of 5092	4812	svchost.exe	112

C:\Users\Admin\AppData\Local\Temp\8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe
"C:\Users\Admin\AppData\Local\Temp\8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe
  "C:\Users\Admin\AppData\Local\Temp\8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe"
  2⤵
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:4328
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:1572

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: SetClipboardViewer
  PID:4480
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:2112
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:60
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:4396

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: SetClipboardViewer
  PID:4272
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
609B

MD5
f78129c2d7c98a4397fa4931b11feef4

SHA1
ea26f38d12515741651ff161ea8393d5fa41a5bd

SHA256
29830390784d06271342237443b6224bb98be0539e34b64e7344c78d7cdd93d9

SHA512
cbca1d486c2bd7655752930b9020ccf3f8ae67a67dcb2cca51c31763a51fea8fb951d617c31a3746680303a8c6d45361c120f15ef06c30b417202949728b5b35

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
2.0MB

MD5
d32feea07c3d949c7813ed5f6d7036cd

SHA1
fd0df63680845e81288d7b52d48e5ae05ac04f1b

SHA256
8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806

SHA512
9144ef5d1264af8be42ff07e4a713cc250f17e66eedbe4c2607e62173d4ee19a6dde78efe321675b651098f48dc5b7cf6ca064b9bb93b54a5de69923b831b398

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
2.0MB

MD5
d32feea07c3d949c7813ed5f6d7036cd

SHA1
fd0df63680845e81288d7b52d48e5ae05ac04f1b

SHA256
8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806

SHA512
9144ef5d1264af8be42ff07e4a713cc250f17e66eedbe4c2607e62173d4ee19a6dde78efe321675b651098f48dc5b7cf6ca064b9bb93b54a5de69923b831b398

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
2.0MB

MD5
d32feea07c3d949c7813ed5f6d7036cd

SHA1
fd0df63680845e81288d7b52d48e5ae05ac04f1b

SHA256
8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806

SHA512
9144ef5d1264af8be42ff07e4a713cc250f17e66eedbe4c2607e62173d4ee19a6dde78efe321675b651098f48dc5b7cf6ca064b9bb93b54a5de69923b831b398

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
2.0MB

MD5
d32feea07c3d949c7813ed5f6d7036cd

SHA1
fd0df63680845e81288d7b52d48e5ae05ac04f1b

SHA256
8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806

SHA512
9144ef5d1264af8be42ff07e4a713cc250f17e66eedbe4c2607e62173d4ee19a6dde78efe321675b651098f48dc5b7cf6ca064b9bb93b54a5de69923b831b398

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
2.0MB

MD5
d32feea07c3d949c7813ed5f6d7036cd

SHA1
fd0df63680845e81288d7b52d48e5ae05ac04f1b

SHA256
8925cfc866e5b52ad7055246b75d70d5ddba6dcac8ea6daf4f34b9a532a6e806

SHA512
9144ef5d1264af8be42ff07e4a713cc250f17e66eedbe4c2607e62173d4ee19a6dde78efe321675b651098f48dc5b7cf6ca064b9bb93b54a5de69923b831b398

Download Submit
memory/1972-136-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1972-142-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/1972-141-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/1972-137-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

Filesize
40KB

Download
memory/4376-133-0x0000000000410000-0x000000000044C000-memory.dmp

Filesize
240KB

Download
memory/4376-135-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/4376-134-0x00000000052E0000-0x0000000005884000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads