06996c6ef4a30d3fd5412866e17dfdeb79908355c0255e9ebe2da87be576082d

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19/05/2023, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62600026163974233250.exe
Size

6.0MB
MD5

55d06a39d1ccbb19ad79bf087489f878
SHA1

ee00157a68963a4fb4d234919f21a76dfa96377a
SHA256

06996c6ef4a30d3fd5412866e17dfdeb79908355c0255e9ebe2da87be576082d
SHA512

361b5ed547a319a10e1a13197e3c311dd8f7b1f5e864b479e528125b7c39b643d2d7ac4fa52f404a5874f936350937e37393dac1c2902b9bd2ce1eaa5983efba
SSDEEP

196608:8pB5U+TdKXaYnaxw9zKbM3mRZfoULcZFS:8f574X1a69zsRxE

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1728	62600026163974233250.exe
1728	62600026163974233250.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1728	62600026163974233250.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1680	1728	62600026163974233250.exe	28
PID 1728 wrote to memory of 1680	1728	62600026163974233250.exe	28
PID 1728 wrote to memory of 1680	1728	62600026163974233250.exe	28
PID 1728 wrote to memory of 1680	1728	62600026163974233250.exe	28
PID 1728 wrote to memory of 332	1728	62600026163974233250.exe	30
PID 1728 wrote to memory of 332	1728	62600026163974233250.exe	30
PID 1728 wrote to memory of 332	1728	62600026163974233250.exe	30
PID 1728 wrote to memory of 332	1728	62600026163974233250.exe	30

C:\Users\Admin\AppData\Local\Temp\62600026163974233250.exe
"C:\Users\Admin\AppData\Local\Temp\62600026163974233250.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1680
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}"
  2⤵
  PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1728-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1728-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1728-57-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1728-58-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1728-59-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1728-60-0x0000000000400000-0x0000000000D6C000-memory.dmp

Filesize
9.4MB

Download