1cd1fef1a13acb996ecd6be05f2d6e91e5f3ddedee8d333fd1fb59bf1bd4ff10

General

Target

33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
Size

900KB
MD5

01fed888c73f8954f2c8a4e334cc2dae
SHA1

0965bbe8bb7126f8648f8a09f57cbfcce1a0675f
SHA256

33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5
SHA512

0ddc89f2f7db79756ef2e4d728eb73fc2da2fdc3c4fee760d82e3a1f10ddd87339ba0b18f122b321decbe5de52ce45e0a02226b842b07a96418e8eb721758bfa
SSDEEP

24576:/16gHdPIQkEJjUdxt6qy4QKOv4Kv6GR2fSMRMHAj:/M2zkbz8lxNv4KdYMHA

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2624 schtasks.exe

pid	process
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exepowershell.exepowershell.exe

pid	process
3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
3036	powershell.exe
2696	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe

C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
"C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aKTpYw.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aKTpYw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4885.tmp"
2⤵
- Creates scheduled task(s)
PID:2624

C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
"C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe"
2⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
"C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe"
2⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
"C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe"
2⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
"C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe"
2⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
"C:\Users\Admin\AppData\Local\Temp\33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe"
2⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4885.tmp

Filesize
1KB

MD5
c4cbdb70939140d7e2393df7830ae148

SHA1
681b3661ea1d9662013bd7242ec1e6e050f0b000

SHA256
58c0bcdfa84a97bd710142f46df8ed0e8483b8c1e1348c97ad62ab3c54809ba6

SHA512
0408bd9a6bc1d8035b2dec09efbcf698f058aed637332187f40d8dff3d8fac741add73099453990f1092ddb03e9a2a97323f59150dbe7bac17bf8d542698a96c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4BPI8T5HQ4B16OGC3R4N.temp

Filesize
7KB

MD5
8bb8fde4524ef19c7fa8dfc27eb13c7e

SHA1
d6e6ee4ba27f5d1bf20d8c2c7c91559ae31adb9b

SHA256
c1fb7f70c99e337262f30ca1441f293b8c985a9102d6865da934ea5c5cd950e6

SHA512
67ccc4bb46e7411489e6242f23e69fe5c5bd1f2a2db60f87926f2afa50b3d452a0e1af0e77bd754a6c111a6a811d0cc8c7f483f07beefd6b1342e000af047390

Download Submit
memory/2696-21-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download
memory/2696-22-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/2696-25-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/2696-24-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download
memory/2696-28-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download
memory/2696-27-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/3024-6-0x00000000058C0000-0x0000000005978000-memory.dmp

Filesize
736KB

Download
memory/3024-20-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-1-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-0-0x0000000000370000-0x0000000000458000-memory.dmp

Filesize
928KB

Download
memory/3024-2-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/3024-3-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/3024-5-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/3024-4-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/3036-19-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download
memory/3036-26-0x0000000002E10000-0x0000000002E50000-memory.dmp

Filesize
256KB

Download
memory/3036-29-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download
memory/3036-23-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 3024 wrote to memory of 3036	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	powershell.exe
PID 3024 wrote to memory of 3036	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	powershell.exe
PID 3024 wrote to memory of 3036	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	powershell.exe
PID 3024 wrote to memory of 3036	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	powershell.exe
PID 3024 wrote to memory of 2696	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	powershell.exe
PID 3024 wrote to memory of 2696	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	powershell.exe
PID 3024 wrote to memory of 2696	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	powershell.exe
PID 3024 wrote to memory of 2696	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	powershell.exe
PID 3024 wrote to memory of 2624	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	schtasks.exe
PID 3024 wrote to memory of 2624	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	schtasks.exe
PID 3024 wrote to memory of 2624	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	schtasks.exe
PID 3024 wrote to memory of 2624	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	schtasks.exe
PID 3024 wrote to memory of 2532	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2532	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2532	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2532	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2640	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2640	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2640	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2640	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2472	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2472	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2472	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2472	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2480	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2480	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2480	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2480	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2488	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2488	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2488	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe
PID 3024 wrote to memory of 2488	3024	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe	33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads