84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b

Analysis

max time kernel
129s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe
Size

322KB
MD5

eef6617def6f6e52cd7ad187eeb285a0
SHA1

d1d6ed84b5d1a691ff6e0cd097ac570a985428ad
SHA256

84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b
SHA512

7f8283d44949708e4baa63672218dc447cb044605574cf313d22a75d6b442c8ff4f92e88fbb79d9754a36eefaf8449f7f7efdf820555dea094c6d390b5f5b063
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3340 set thread context of 3572	3340	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	88

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3400	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3572	3340	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	88
PID 3340 wrote to memory of 3572	3340	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	88
PID 3340 wrote to memory of 3572	3340	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	88
PID 3340 wrote to memory of 3572	3340	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	88
PID 3340 wrote to memory of 3572	3340	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	88
PID 3340 wrote to memory of 3572	3340	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	88
PID 3340 wrote to memory of 3572	3340	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	88
PID 3340 wrote to memory of 3572	3340	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	88
PID 3340 wrote to memory of 3572	3340	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	88
PID 3572 wrote to memory of 3400	3572	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	89
PID 3572 wrote to memory of 3400	3572	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	89
PID 3572 wrote to memory of 3400	3572	84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe	89

C:\Users\Admin\AppData\Local\Temp\84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe
"C:\Users\Admin\AppData\Local\Temp\84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe
  C:\Users\Admin\AppData\Local\Temp\84e5bb5bd446f4dc679ab86cc737c33c6d110cc06a163ae7aff300e72212a84b.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3340-6-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/3340-1-0x0000000000D20000-0x0000000000D76000-memory.dmp

Filesize
344KB

Download
memory/3340-2-0x0000000007C30000-0x0000000007CFC000-memory.dmp

Filesize
816KB

Download
memory/3340-3-0x00000000082B0000-0x0000000008854000-memory.dmp

Filesize
5.6MB

Download
memory/3340-4-0x0000000007DA0000-0x0000000007E32000-memory.dmp

Filesize
584KB

Download
memory/3340-5-0x0000000003100000-0x0000000003106000-memory.dmp

Filesize
24KB

Download
memory/3340-0-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3340-7-0x0000000008040000-0x00000000080B6000-memory.dmp

Filesize
472KB

Download
memory/3340-8-0x0000000007D00000-0x0000000007D1E000-memory.dmp

Filesize
120KB

Download
memory/3340-15-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3572-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3572-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3572-13-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads