f48ed8d111af1a7ac60eb253fa75cc0b65bc1418c214d55a6e59676f4dd7277c

General

Target

PI No. 92826785.exe
Size

623KB
MD5

92b364ff04da94c50941ac26728b398e
SHA1

0ef8a6e061b52e34a31b691cd03153ce7b22c70a
SHA256

7cba6ce993da55a8706e4c726e120ce59a40622f20ed4f0beb971c1fb03b9519
SHA512

75d82e51d905febbb0fd6f3f0450c325faad7307bf84a5e508fca0aa3a75645873661f84a1bace1faa3edc6d0c0d8d3606f00228618f24510611e631fe03d37c
SSDEEP

12288:Xl5nF8PVdqrlbLP8DL98J/1aswLR7HgaC/Me5Qes5ib46iJgw:Xlaqhb7Gp8DatpC/Me5GM/iJZ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2656 schtasks.exe

pid	process
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

PI No. 92826785.exepowershell.exe

pid	process
1752	PI No. 92826785.exe
1752	PI No. 92826785.exe
1752	PI No. 92826785.exe
1752	PI No. 92826785.exe
1752	PI No. 92826785.exe
1752	PI No. 92826785.exe
1752	PI No. 92826785.exe
1752	PI No. 92826785.exe
1752	PI No. 92826785.exe
1752	PI No. 92826785.exe
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PI No. 92826785.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1752 PI No. 92826785.exe
Token: SeDebugPrivilege 2948 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1752	PI No. 92826785.exe
Token: SeDebugPrivilege	2948	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

PI No. 92826785.exe

description	pid	process	target process
PID 1752 wrote to memory of 2948	1752	PI No. 92826785.exe	powershell.exe
PID 1752 wrote to memory of 2948	1752	PI No. 92826785.exe	powershell.exe
PID 1752 wrote to memory of 2948	1752	PI No. 92826785.exe	powershell.exe
PID 1752 wrote to memory of 2948	1752	PI No. 92826785.exe	powershell.exe
PID 1752 wrote to memory of 2656	1752	PI No. 92826785.exe	schtasks.exe
PID 1752 wrote to memory of 2656	1752	PI No. 92826785.exe	schtasks.exe
PID 1752 wrote to memory of 2656	1752	PI No. 92826785.exe	schtasks.exe
PID 1752 wrote to memory of 2656	1752	PI No. 92826785.exe	schtasks.exe
PID 1752 wrote to memory of 632	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 632	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 632	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 632	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2912	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2912	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2912	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2912	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2552	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2552	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2552	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2552	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2128	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2128	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2128	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2128	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2704	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2704	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2704	1752	PI No. 92826785.exe	PI No. 92826785.exe
PID 1752 wrote to memory of 2704	1752	PI No. 92826785.exe	PI No. 92826785.exe

C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe
"C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pHkBnvqIJtDl.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pHkBnvqIJtDl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD0A7.tmp"
2⤵
- Creates scheduled task(s)
PID:2656

C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe
"C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe"
2⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe
"C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe"
2⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe
"C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe"
2⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe
"C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe"
2⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe
"C:\Users\Admin\AppData\Local\Temp\PI No. 92826785.exe"
2⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD0A7.tmp

Filesize
1KB

MD5
d51469cba7c5b3314d95581adfd94362

SHA1
a3fd222e25bec295b54c73c5889cb9d4557e782d

SHA256
4f0084a444871d6170f4b931ee4f7e57d99aa739f05f293465107c0bf558411c

SHA512
636d3ef565a944db4c7d8053ac341698f757af2557dbafdb45c75520b7df746a7a664aba9ffa002039005e20dee0347394b999a5c22a293953d29198f7290cde

Download Submit
memory/1752-6-0x0000000004B70000-0x0000000004BDA000-memory.dmp

Filesize
424KB

Download
memory/1752-2-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/1752-3-0x0000000000AF0000-0x0000000000B08000-memory.dmp

Filesize
96KB

Download
memory/1752-4-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/1752-5-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/1752-0-0x00000000003F0000-0x0000000000490000-memory.dmp

Filesize
640KB

Download
memory/1752-1-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1752-14-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/2948-15-0x000000006E810000-0x000000006EDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-16-0x000000006E810000-0x000000006EDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-17-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2948-18-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2948-19-0x000000006E810000-0x000000006EDBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads