e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724

General

Target

e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
Size

580KB
MD5

6308cc22d136d3cc309205ca43233bec
SHA1

c4bcd2dd3fedd1011f2fa9dc680faaa23b385e77
SHA256

e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724
SHA512

310897b2f4e8d70d12aa3982d56cde3f0cb9b3dd577f586fb9a363e97f98abcb1e4f5efd96fd56fb751dae9be75d95eb85de2986d13bb3c32bae0652b9cef7d3
SSDEEP

12288:RG7amAZ1ljXQ+7jmemD2vZTHPp9EifyLPbRkVFqR6+zCNSg8AoOjdYXIzgm7PH9:E2mAZ1ljAcuD2vlHx8/0ckhSg8ryaXsX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1284	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3608	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4412	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
632	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
Token: SeDebugPrivilege	1284	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 3560	2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe	71
PID 2996 wrote to memory of 3560	2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe	71
PID 2996 wrote to memory of 3336	2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe	73
PID 2996 wrote to memory of 3336	2996	e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe	73
PID 3336 wrote to memory of 4412	3336	cmd.exe	75
PID 3336 wrote to memory of 4412	3336	cmd.exe	75
PID 3560 wrote to memory of 3608	3560	cmd.exe	76
PID 3560 wrote to memory of 3608	3560	cmd.exe	76
PID 3336 wrote to memory of 1284	3336	cmd.exe	77
PID 3336 wrote to memory of 1284	3336	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe
"C:\Users\Admin\AppData\Local\Temp\e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBA47.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4412
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBA47.tmp.bat

Filesize
151B

MD5
979f5c24dac8ff0eb5f704a95bf45f74

SHA1
8047e0da7b2bca348c7c020e52e56b49f5be2b1a

SHA256
c3e59cfa2a060215562ab793abf9eae0a3b560ca601f9852e5cafe2b3f4c9ebb

SHA512
a6bf5fbbb5229cac9c281083296d220f1239947c4090c4581c4acd906e118c3868b085fc684a4f45d0141e245c47cfd51e9b16a1122e0bc6d3da2e340cac381b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
580KB

MD5
6308cc22d136d3cc309205ca43233bec

SHA1
c4bcd2dd3fedd1011f2fa9dc680faaa23b385e77

SHA256
e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724

SHA512
310897b2f4e8d70d12aa3982d56cde3f0cb9b3dd577f586fb9a363e97f98abcb1e4f5efd96fd56fb751dae9be75d95eb85de2986d13bb3c32bae0652b9cef7d3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
580KB

MD5
6308cc22d136d3cc309205ca43233bec

SHA1
c4bcd2dd3fedd1011f2fa9dc680faaa23b385e77

SHA256
e78ca14c9af7852b5dd0e701e033539c1239999b2fadb772d4a813b248b0c724

SHA512
310897b2f4e8d70d12aa3982d56cde3f0cb9b3dd577f586fb9a363e97f98abcb1e4f5efd96fd56fb751dae9be75d95eb85de2986d13bb3c32bae0652b9cef7d3

Download Submit
memory/1284-132-0x00007FFA372E0000-0x00007FFA37CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1284-133-0x000001AB1A700000-0x000001AB1A800000-memory.dmp

Filesize
1024KB

Download
memory/1284-135-0x00007FFA372E0000-0x00007FFA37CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1284-136-0x000001AB1A700000-0x000001AB1A800000-memory.dmp

Filesize
1024KB

Download
memory/2996-120-0x0000022E6F930000-0x0000022E6F936000-memory.dmp

Filesize
24KB

Download
memory/2996-121-0x0000022E701E0000-0x0000022E701FA000-memory.dmp

Filesize
104KB

Download
memory/2996-122-0x0000022E70250000-0x0000022E702DC000-memory.dmp

Filesize
560KB

Download
memory/2996-119-0x0000022E6F960000-0x0000022E6F970000-memory.dmp

Filesize
64KB

Download
memory/2996-128-0x00007FFA372E0000-0x00007FFA37CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2996-118-0x00007FFA372E0000-0x00007FFA37CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2996-117-0x0000022E6DC10000-0x0000022E6DCA6000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads