fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

General

Target

fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
Size

299KB
MD5

41b883a061c95e9b9cb17d4ca50de770
SHA1

1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256

fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512

cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
SSDEEP

6144:2neDcgRQv5VaNT9DW7a6dtM9VstSttuvqIT:2O0v5VuT9DW7hdt9tKt2qI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

mstsca.exe

pid process

3416 mstsca.exe

pid	process
3416	mstsca.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe

description	pid	process	target process
PID 4076 set thread context of 1332	4076	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4360 schtasks.exe

pid	process
4360	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exefef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe

description	pid	process	target process
PID 4076 wrote to memory of 1332	4076	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
PID 4076 wrote to memory of 1332	4076	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
PID 4076 wrote to memory of 1332	4076	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
PID 4076 wrote to memory of 1332	4076	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
PID 4076 wrote to memory of 1332	4076	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
PID 4076 wrote to memory of 1332	4076	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
PID 4076 wrote to memory of 1332	4076	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
PID 4076 wrote to memory of 1332	4076	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
PID 4076 wrote to memory of 1332	4076	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
PID 1332 wrote to memory of 4360	1332	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	schtasks.exe
PID 1332 wrote to memory of 4360	1332	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	schtasks.exe
PID 1332 wrote to memory of 4360	1332	fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
"C:\Users\Admin\AppData\Local\Temp\fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe
  "C:\Users\Admin\AppData\Local\Temp\fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4360

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/1332-3-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1332-5-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1332-6-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1332-8-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/1332-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4076-1-0x0000000000A70000-0x0000000000B70000-memory.dmp

Filesize
1024KB

Download
memory/4076-2-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads