c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe
Size

6.1MB
MD5

9d07944f7ce2fce63e8dd40e9eb58eea
SHA1

5d9bc00fd1989b5a8325ea99d88257c70ec42d76
SHA256

c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7
SHA512

24ff183cfc8eb101e2d5db22dcad810bce7e3e80b3ae4fd2424629e525525dcb6646a50f6ee8855a5d6cdc2d8add5394598fac78b8fe4236ba7570258b19e875
SSDEEP

98304:uUXF9PCGenR48ihXSB59MGuC7JUKAeRh0rtlIFwn3jvMLDy50vPT8RDX:9XLPAnDgi97D7Jtql5zvMLDyCPT8R7

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe
2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3780	2084	WerFault.exe	82

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2936	schtasks.exe
2044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe
2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2936	2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe	83
PID 2084 wrote to memory of 2936	2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe	83
PID 2084 wrote to memory of 2936	2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe	83
PID 2084 wrote to memory of 4032	2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe	85
PID 2084 wrote to memory of 4032	2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe	85
PID 2084 wrote to memory of 4032	2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe	85
PID 2084 wrote to memory of 2044	2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe	87
PID 2084 wrote to memory of 2044	2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe	87
PID 2084 wrote to memory of 2044	2084	c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe	87

C:\Users\Admin\AppData\Local\Temp\c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe
"C:\Users\Admin\AppData\Local\Temp\c2792e268efa6665ee1b63c374fa0767b3e5cbd47e5aa844b3995923adb3b7d7.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Microsoft Windows Search Protocol Host{Q3D4C6G3N7-J7K8A1D3-V5N6G4D8J5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows Search Protocol Host\SearchProtocolHost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2936
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Microsoft Windows Search Protocol Host{Q3D4C6G3N7-J7K8A1D3-V5N6G4D8J5}"
  2⤵
  PID:4032
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Microsoft Windows Search Protocol Host{Q3D4C6G3N7-J7K8A1D3-V5N6G4D8J5}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows Search Protocol Host\34346457686643545"
  2⤵
  - Creates scheduled task(s)
  PID:2044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 472
  2⤵
  - Program crash
  PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2084 -ip 2084
1⤵
PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows Search Protocol Host\34346457686643545

Filesize
1KB

MD5
31d5b2e442eae9098b5756a89e7038c3

SHA1
8f478d724317c85d21c8d5fa705252521e1a991d

SHA256
dcafb17fbc44be0dae3a1be4532ecfd91a1e0aa1ddd2db027cacc87c32c151cf

SHA512
fc8ca320666a1ad55dcfc8debf28c0fa89e4d96835643b7f9837da7eb321fece32580652da03faa12de0c7e77cbb34dcefd1f88e4aeda360dcaa5895fa3d208a

Download Submit
memory/2084-133-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2084-134-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/2084-135-0x0000000000400000-0x0000000000D7E000-memory.dmp

Filesize
9.5MB

Download