06996c6ef4a30d3fd5412866e17dfdeb79908355c0255e9ebe2da87be576082d

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2023, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62600026163974233250.exe
Size

6.0MB
MD5

55d06a39d1ccbb19ad79bf087489f878
SHA1

ee00157a68963a4fb4d234919f21a76dfa96377a
SHA256

06996c6ef4a30d3fd5412866e17dfdeb79908355c0255e9ebe2da87be576082d
SHA512

361b5ed547a319a10e1a13197e3c311dd8f7b1f5e864b479e528125b7c39b643d2d7ac4fa52f404a5874f936350937e37393dac1c2902b9bd2ce1eaa5983efba
SSDEEP

196608:8pB5U+TdKXaYnaxw9zKbM3mRZfoULcZFS:8f574X1a69zsRxE

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4568	62600026163974233250.exe
4568	62600026163974233250.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2016	schtasks.exe
2684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4568	62600026163974233250.exe
4568	62600026163974233250.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 2016	4568	62600026163974233250.exe	84
PID 4568 wrote to memory of 2016	4568	62600026163974233250.exe	84
PID 4568 wrote to memory of 2016	4568	62600026163974233250.exe	84
PID 4568 wrote to memory of 1124	4568	62600026163974233250.exe	86
PID 4568 wrote to memory of 1124	4568	62600026163974233250.exe	86
PID 4568 wrote to memory of 1124	4568	62600026163974233250.exe	86
PID 4568 wrote to memory of 2684	4568	62600026163974233250.exe	88
PID 4568 wrote to memory of 2684	4568	62600026163974233250.exe	88
PID 4568 wrote to memory of 2684	4568	62600026163974233250.exe	88

C:\Users\Admin\AppData\Local\Temp\62600026163974233250.exe
"C:\Users\Admin\AppData\Local\Temp\62600026163974233250.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2016
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}"
  2⤵
  PID:1124
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\6745645343447557"
  2⤵
  - Creates scheduled task(s)
  PID:2684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\6745645343447557

Filesize
1KB

MD5
10363570c0d7de6b3834f3b6e919747c

SHA1
be494ff1dfd7881cb23e2fe4f61c1c5106a05530

SHA256
73671e017479f23868065819c9e4ce93956de0bbd3dee2b4f5742ba3642e4a61

SHA512
b1ccfb1b978b3a4e46ec6f915b072406fa6490f188aab6ba1f5ab6805b5091f513714857bc28ee982bd4c6572896990228ccaad19a10c2c4d6c3e1a2ca8bb806

Download Submit
memory/4568-133-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4568-134-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4568-135-0x0000000000400000-0x0000000000D6C000-memory.dmp

Filesize
9.4MB

Download