Analysis
-
max time kernel
585s -
max time network
599s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
16/11/2023, 16:13
General
-
Target
1.exe
-
Size
4.3MB
-
MD5
3f005ce85f08a09e93679254e35df782
-
SHA1
e0ac1e6e68a1a79edd16215447a6c8c3ab068b5d
-
SHA256
c43f913e75a18bcddedf040beec903b94336734537ca6816d8174e8237822870
-
SHA512
cbfafb5a2422f2c5488915d30908f37f9a152e1901d53ce2b11542fefce754c141eef46d2d9e52ddc27b9f6ec34b0d6d2c56f3c08532a8ee9636804554c80db1
-
SSDEEP
49152:m6+OL0vnSGYGY+9C4OXk9PhRBPhILfF/QxamXYOCs5EbNfylJTEXKobB1:m7jHTXXREYJgXK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {866F404E-D00C-45DD-BE64-8B07DEEE185D} S-1-5-21-3425689832-2386927309-2650718742-1000:AWDHTXES\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD53f005ce85f08a09e93679254e35df782
SHA1e0ac1e6e68a1a79edd16215447a6c8c3ab068b5d
SHA256c43f913e75a18bcddedf040beec903b94336734537ca6816d8174e8237822870
SHA512cbfafb5a2422f2c5488915d30908f37f9a152e1901d53ce2b11542fefce754c141eef46d2d9e52ddc27b9f6ec34b0d6d2c56f3c08532a8ee9636804554c80db1
-
Filesize
4.3MB
MD53f005ce85f08a09e93679254e35df782
SHA1e0ac1e6e68a1a79edd16215447a6c8c3ab068b5d
SHA256c43f913e75a18bcddedf040beec903b94336734537ca6816d8174e8237822870
SHA512cbfafb5a2422f2c5488915d30908f37f9a152e1901d53ce2b11542fefce754c141eef46d2d9e52ddc27b9f6ec34b0d6d2c56f3c08532a8ee9636804554c80db1
-
Filesize
4.3MB
MD53f005ce85f08a09e93679254e35df782
SHA1e0ac1e6e68a1a79edd16215447a6c8c3ab068b5d
SHA256c43f913e75a18bcddedf040beec903b94336734537ca6816d8174e8237822870
SHA512cbfafb5a2422f2c5488915d30908f37f9a152e1901d53ce2b11542fefce754c141eef46d2d9e52ddc27b9f6ec34b0d6d2c56f3c08532a8ee9636804554c80db1
-
Filesize
4.3MB
MD53f005ce85f08a09e93679254e35df782
SHA1e0ac1e6e68a1a79edd16215447a6c8c3ab068b5d
SHA256c43f913e75a18bcddedf040beec903b94336734537ca6816d8174e8237822870
SHA512cbfafb5a2422f2c5488915d30908f37f9a152e1901d53ce2b11542fefce754c141eef46d2d9e52ddc27b9f6ec34b0d6d2c56f3c08532a8ee9636804554c80db1
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
32KB