9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94

General

Target

9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
Size

813KB
MD5

be3988bbf70d69b9d73d74bfcc8fb164
SHA1

271f55af9cfa8b4bd0b3469940bd7722f2579555
SHA256

9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94
SHA512

0288f4daf6239703ef7af17c549786bc14f6999f2559644c5f5668be3557fa4b5d0230bdaa69f4dc8a75f3111654dbe9897d778e8bfb3298e6c01159dd5660aa
SSDEEP

12288:I9dILurOuKPQq3FUJQrGvZ1gSAEfBMdlQduRTg6Z/4eb3TSGhgoFJ2W:I9ZrByFMdvZr5fiRTg9q3ThgA

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2588 schtasks.exe

pid	process
2588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exepowershell.exe

pid	process
2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
Token: SeDebugPrivilege	2948	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe

C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
"C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dQsBVVxvlZ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dQsBVVxvlZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6410.tmp"
2⤵
- Creates scheduled task(s)
PID:2588

C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
"C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe"
2⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
"C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe"
2⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
"C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe"
2⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
"C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe"
2⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
"C:\Users\Admin\AppData\Local\Temp\9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe"
2⤵
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6410.tmp

Filesize
1KB

MD5
5137f8de1ee6f8d6ecd68ab405e9bd8c

SHA1
a10e4f242a90b1d07093f9d7dc7d0f306159fb4c

SHA256
896854ea09d7f36781002858280662af81873cfbdba712540d78e11c754f440f

SHA512
865419782846bf7df72978c36b35dba948b2281142b0b7757389062f72825b0a3f91a3b6cff4d9a7112452a9da0a6ee6c36eeb64e9ae2fd81012c9f7ef9bcf25

Download Submit
memory/2928-8-0x0000000005070000-0x00000000050B0000-memory.dmp

Filesize
256KB

Download
memory/2928-0-0x0000000000240000-0x0000000000312000-memory.dmp

Filesize
840KB

Download
memory/2928-3-0x0000000000330000-0x0000000000346000-memory.dmp

Filesize
88KB

Download
memory/2928-4-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2928-5-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2928-6-0x0000000005CB0000-0x0000000005D2A000-memory.dmp

Filesize
488KB

Download
memory/2928-2-0x0000000005070000-0x00000000050B0000-memory.dmp

Filesize
256KB

Download
memory/2928-1-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-7-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-17-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/2948-16-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-18-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-20-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2948-19-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2948-21-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 2928 wrote to memory of 2948	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	powershell.exe
PID 2928 wrote to memory of 2948	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	powershell.exe
PID 2928 wrote to memory of 2948	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	powershell.exe
PID 2928 wrote to memory of 2948	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	powershell.exe
PID 2928 wrote to memory of 2588	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	schtasks.exe
PID 2928 wrote to memory of 2588	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	schtasks.exe
PID 2928 wrote to memory of 2588	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	schtasks.exe
PID 2928 wrote to memory of 2588	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	schtasks.exe
PID 2928 wrote to memory of 2828	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2828	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2828	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2828	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2572	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2572	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2572	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2572	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2684	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2684	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2684	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2684	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2180	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2180	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2180	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2180	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2660	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2660	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2660	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe
PID 2928 wrote to memory of 2660	2928	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe	9781aeef25933b2e60e350f984a7a06c916e9ce6e5ca2a38d2d3dd752357ae94.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads