29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6

General

Target

29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
Size

818KB
MD5

3d96b5fa3d4aec629fc9eabc97d17b1a
SHA1

bbf097eda548be4bb8f2e2ac440bfe0838ccce12
SHA256

29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6
SHA512

f19d6fc1786de14923596e7d8b51005e329d2bb72d4255bf7837063a34c46687dd8e25e8711d9aef32021f8dea157230428a196394569f9c286cdb4fca3d06ba
SSDEEP

12288:dWxr8tW8G34/uK45+po2yzBX2eln5gi+jiiUVxKfC3xFCLOzaMpsDiDfC7o+ncY0:mz34/up+pJ/elnD+ON4C/psDkq73dX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2760 schtasks.exe

pid	process
2760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exepowershell.exepowershell.exe

pid	process
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2700	powershell.exe
2320	powershell.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe

description	pid	process	target process
PID 2080 wrote to memory of 2320	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	powershell.exe
PID 2080 wrote to memory of 2320	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	powershell.exe
PID 2080 wrote to memory of 2320	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	powershell.exe
PID 2080 wrote to memory of 2320	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	powershell.exe
PID 2080 wrote to memory of 2700	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	powershell.exe
PID 2080 wrote to memory of 2700	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	powershell.exe
PID 2080 wrote to memory of 2700	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	powershell.exe
PID 2080 wrote to memory of 2700	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	powershell.exe
PID 2080 wrote to memory of 2760	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	schtasks.exe
PID 2080 wrote to memory of 2760	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	schtasks.exe
PID 2080 wrote to memory of 2760	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	schtasks.exe
PID 2080 wrote to memory of 2760	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	schtasks.exe
PID 2080 wrote to memory of 2584	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2584	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2584	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2584	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2584	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2584	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2584	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2628	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2628	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2628	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2628	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2628	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2628	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe
PID 2080 wrote to memory of 2628	2080	29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe
"C:\Users\Admin\AppData\Local\Temp\29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\29dde0c42e931658310ede756d477eea838ad95e75a7b589fe8393b0f30bbfa6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zOZYwgrqs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zOZYwgrqs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB28D.tmp"
2⤵
- Creates scheduled task(s)
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB28D.tmp

Filesize
1KB

MD5
c8957c8b2aaed91dcef60fac7930fb62

SHA1
d1564b0153b614774a9793e4be4b2c970bea44b5

SHA256
3306d3a68e749cf7a85f00b97eec52a06a92bd96c7377461b09dbf300d4b913e

SHA512
4cbcdb62f675cdc52bf43bad84d692e914a5006f66f4fc6cfdac6c3d21315d044f7db32ab43aa8157587698837322348bf39a23105a7f44b4122f2b024045797

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YW92O0GWDXPZP4O0UBCK.temp

Filesize
7KB

MD5
9cce07d7e0cbbba626890edff597bf86

SHA1
714d0c3326fa52b7b8f469083356ba6e5d8d502e

SHA256
cadad8aaa1d5f9e29ba64bd4774d42601ea3d5790c06fb754139cf9908def636

SHA512
16b944d13b6783505663f10cbca4230e58c0886087c608eae93f8b2c424a1887c5084998d1d11b910c0d77e1e1b58e1de41202e62770ad1de776e83ba94c430f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9cce07d7e0cbbba626890edff597bf86

SHA1
714d0c3326fa52b7b8f469083356ba6e5d8d502e

SHA256
cadad8aaa1d5f9e29ba64bd4774d42601ea3d5790c06fb754139cf9908def636

SHA512
16b944d13b6783505663f10cbca4230e58c0886087c608eae93f8b2c424a1887c5084998d1d11b910c0d77e1e1b58e1de41202e62770ad1de776e83ba94c430f

Download Submit
memory/2080-5-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2080-4-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2080-3-0x0000000000380000-0x0000000000398000-memory.dmp

Filesize
96KB

Download
memory/2080-6-0x0000000005020000-0x000000000509C000-memory.dmp

Filesize
496KB

Download
memory/2080-7-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download
memory/2080-8-0x0000000004FE0000-0x0000000005020000-memory.dmp

Filesize
256KB

Download
memory/2080-0-0x00000000002A0000-0x0000000000372000-memory.dmp

Filesize
840KB

Download
memory/2080-1-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download
memory/2080-2-0x0000000004FE0000-0x0000000005020000-memory.dmp

Filesize
256KB

Download
memory/2320-26-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2320-22-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-23-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2320-25-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-29-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/2628-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-24-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-21-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-28-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads