6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc

Analysis

max time kernel
122s
max time network
162s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
Size

4.8MB
MD5

94fba165e0ef10a01074a4da417f30da
SHA1

3d6bfb2cb44346c4b4814b87d51547505ddeb9d4
SHA256

6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc
SHA512

235a45b0176614c832d3cf33a5b1236432cce03caf12e7bbcd743036460c0cd09604267e0e0b8ab7a3e35bcc214dac0c3082213ed6912747ab6b93e12321dcca
SSDEEP

98304:DtWHJOc0fbD5nSSyqIW++Cbc0vpcyBd6Mb6w/5b5l4bXJFb9:DS6X4SyqIz+CEyBd6Mbf/5mXJR9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2756	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	29
PID 3040 wrote to memory of 2756	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	29
PID 3040 wrote to memory of 2756	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	29
PID 3040 wrote to memory of 2756	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	29
PID 2756 wrote to memory of 2616	2756	cmd.exe	31
PID 2756 wrote to memory of 2616	2756	cmd.exe	31
PID 2756 wrote to memory of 2616	2756	cmd.exe	31
PID 3040 wrote to memory of 2704	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	32
PID 3040 wrote to memory of 2704	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	32
PID 3040 wrote to memory of 2704	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	32
PID 3040 wrote to memory of 2704	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	32
PID 2704 wrote to memory of 3064	2704	cmd.exe	34
PID 2704 wrote to memory of 3064	2704	cmd.exe	34
PID 2704 wrote to memory of 3064	2704	cmd.exe	34
PID 3040 wrote to memory of 2856	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	36
PID 3040 wrote to memory of 2856	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	36
PID 3040 wrote to memory of 2856	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	36
PID 3040 wrote to memory of 2856	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	36
PID 2856 wrote to memory of 2660	2856	cmd.exe	37
PID 2856 wrote to memory of 2660	2856	cmd.exe	37
PID 2856 wrote to memory of 2660	2856	cmd.exe	37
PID 3040 wrote to memory of 2604	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	38
PID 3040 wrote to memory of 2604	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	38
PID 3040 wrote to memory of 2604	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	38
PID 3040 wrote to memory of 2604	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	38
PID 2604 wrote to memory of 2512	2604	cmd.exe	40
PID 2604 wrote to memory of 2512	2604	cmd.exe	40
PID 2604 wrote to memory of 2512	2604	cmd.exe	40
PID 3040 wrote to memory of 2568	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	41
PID 3040 wrote to memory of 2568	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	41
PID 3040 wrote to memory of 2568	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	41
PID 3040 wrote to memory of 2568	3040	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	41
PID 2568 wrote to memory of 3048	2568	cmd.exe	43
PID 2568 wrote to memory of 3048	2568	cmd.exe	43
PID 2568 wrote to memory of 3048	2568	cmd.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
"C:\Users\Admin\AppData\Local\Temp\6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c expand *.cab /f:* .\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\expand.exe
    expand *.cab /f:* .\
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
    3⤵
    - Creates scheduled task(s)
    PID:3064
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
    3⤵
    PID:2660
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn ASOS1
    3⤵
    PID:2512
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn ASOS1
    3⤵
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\unpack1.log

Filesize
4KB

MD5
38135f46c4c6546d10e64357e5d749c6

SHA1
32e96c892daf6c9f7a30fa18eb4730325057c80b

SHA256
a7ce4d86a4cbe710d573a85c504903b1eaabbdfa4581838dccfc761e53b961d5

SHA512
a2e6103c243f9cb1f4cddba578dbe33f9f1e6a852a682f56b8ab05f17c33450cfdefe2c933158dc6f247aab92893ac74a6e9a63aa24891b52a320f70f89dead4

Download Submit