3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9

General

Target

3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
Size

5.2MB
MD5

d381d9db9cbd1b60afdfb4f05e52a775
SHA1

d59c52583ca791e07f3e6aec2ee2590ab9bfd67e
SHA256

3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9
SHA512

cebe8732fbcdc7d5672667d94473245377780e7cce940f5162789fcb6684c49b3c9c9cef6d7aff3cb005d614e32c228fe958011ee27d5063ca488b28b594d861
SSDEEP

98304:Qp4L/JhqnNKIjRFlrDlyzVd/dCR36YDAbJC5kZne:QeL/JhqNRrhyXCR3FAbfhe

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 2996 created 1348	2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe	9
PID 2996 created 1348	2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe	9
PID 2996 created 1348	2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe	9
PID 2996 created 1348	2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe	9

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
2996	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2984	powercfg.exe
Token: SeShutdownPrivilege	1628	powercfg.exe
Token: SeShutdownPrivilege	524	powercfg.exe
Token: SeShutdownPrivilege	268	powercfg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2984	2740	cmd.exe	32
PID 2740 wrote to memory of 2984	2740	cmd.exe	32
PID 2740 wrote to memory of 2984	2740	cmd.exe	32
PID 2740 wrote to memory of 1628	2740	cmd.exe	33
PID 2740 wrote to memory of 1628	2740	cmd.exe	33
PID 2740 wrote to memory of 1628	2740	cmd.exe	33
PID 2740 wrote to memory of 524	2740	cmd.exe	34
PID 2740 wrote to memory of 524	2740	cmd.exe	34
PID 2740 wrote to memory of 524	2740	cmd.exe	34
PID 2740 wrote to memory of 268	2740	cmd.exe	37
PID 2740 wrote to memory of 268	2740	cmd.exe	37
PID 2740 wrote to memory of 268	2740	cmd.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1348
- C:\Users\Admin\AppData\Local\Temp\3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
  "C:\Users\Admin\AppData\Local\Temp\3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:268
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2908
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml"
  2⤵
  - Creates scheduled task(s)
  PID:2584
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml

Filesize
1KB

MD5
059ccb70dc2c65c81c0dc8bea26a4bb2

SHA1
09c60376bf998dff186950104a6e7e4f74b37c24

SHA256
0b28be2c63d9b0b5936fb7a5fecbe3dc9bb69de7d212fadaefc03d643bf9482d

SHA512
416909daef33f4c55dcd99594b47a2ea65a0fa034179cb206a477d73378b8981eddb2187398e4b121b5448d3643f48033bf131c89d6fbfab3c33f21b8bd42c9d

Download Submit
memory/2996-0-0x000000013F620000-0x000000013FB50000-memory.dmp

Filesize
5.2MB

Download
memory/2996-4-0x000000013F620000-0x000000013FB50000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads