f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25

General

Target

f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe
Size

1.1MB
MD5

7f4530102461308640fcae4610dbc09f
SHA1

2d76b04a70ed285095870d495bbbe831cd4eb623
SHA256

f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25
SHA512

390f108b20d8fa692397feba2ccaf459654303eafc8d30bb3398866a2534c5366068482f9ae7cb7adf34ee073e09757fb45e428d5eb3ff8e6243f01e5cfc04ee
SSDEEP

12288:fKXer0p6qWip6qWj7YTVRSY4fbkQ/DJ6Q9Hw8GrfhiyMZkQ1YT:SXLp9Wip9WjaVYlN6ITG7h8LK

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe
2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe
2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe
2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe
2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2684	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	30
PID 2412 wrote to memory of 2684	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	30
PID 2412 wrote to memory of 2684	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	30
PID 2412 wrote to memory of 2684	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	30
PID 2412 wrote to memory of 2692	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	32
PID 2412 wrote to memory of 2692	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	32
PID 2412 wrote to memory of 2692	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	32
PID 2412 wrote to memory of 2692	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	32
PID 2412 wrote to memory of 2636	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	33
PID 2412 wrote to memory of 2636	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	33
PID 2412 wrote to memory of 2636	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	33
PID 2412 wrote to memory of 2636	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	33
PID 2412 wrote to memory of 2472	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	34
PID 2412 wrote to memory of 2472	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	34
PID 2412 wrote to memory of 2472	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	34
PID 2412 wrote to memory of 2472	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	34
PID 2412 wrote to memory of 2524	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	35
PID 2412 wrote to memory of 2524	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	35
PID 2412 wrote to memory of 2524	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	35
PID 2412 wrote to memory of 2524	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	35
PID 2412 wrote to memory of 2520	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	36
PID 2412 wrote to memory of 2520	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	36
PID 2412 wrote to memory of 2520	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	36
PID 2412 wrote to memory of 2520	2412	f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe	36

C:\Users\Admin\AppData\Local\Temp\f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WdLpxJUrvXwgTh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8D2.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe
  "{path}"
  2⤵
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe
  "{path}"
  2⤵
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe
  "{path}"
  2⤵
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe
  "{path}"
  2⤵
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\f9425a96d2e9d055dd0514a35242ed65f5be4f77c3ed4b1d47de2d7b4eb23a25_JC.exe
  "{path}"
  2⤵
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD8D2.tmp

Filesize
1KB

MD5
ddb8ab8aa7a2cf8bed3a794564177743

SHA1
c184998e46b916ef6643c29970d9ee42090a19b9

SHA256
449038cb4ce9de6aa18c5633d5499f2940a73ca39e43b6d9c466dc7271ae45db

SHA512
e66f647f37b35c1e4e5279a32e7ce26e22bdf37ea03445fa7a7c45fa93ad813859f4fc56756a7758bfa76e9e92b98e0a304f397606c4bf757bac77836064a9c0

Download Submit
memory/2412-0-0x0000000000310000-0x0000000000424000-memory.dmp

Filesize
1.1MB

Download
memory/2412-1-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2412-2-0x0000000004720000-0x0000000004760000-memory.dmp

Filesize
256KB

Download
memory/2412-3-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2412-4-0x0000000004720000-0x0000000004760000-memory.dmp

Filesize
256KB

Download
memory/2412-5-0x0000000000550000-0x0000000000564000-memory.dmp

Filesize
80KB

Download
memory/2412-6-0x0000000004D70000-0x0000000004DF0000-memory.dmp

Filesize
512KB

Download
memory/2412-7-0x0000000004120000-0x0000000004162000-memory.dmp

Filesize
264KB

Download
memory/2412-11-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads