Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
26/12/2023, 17:11
General
-
Target
18d1a10285383dbf8a2343e4b9c1fc3c.exe
-
Size
2.0MB
-
MD5
18d1a10285383dbf8a2343e4b9c1fc3c
-
SHA1
e0a53fa4e9f303e87dfe612a9495290ea27e21d3
-
SHA256
952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534
-
SHA512
d3000f6115555a836661617e36c5af4bc61acfdff5b51b94136b8497de3a2b8d4b449dc1307726f434774500e960ae6f0f0c5bda94a041ca384f17cfbd32da46
-
SSDEEP
49152:MvVl3ySej9XajZGssKdpH/AoBbuejcxh7ZOGx74fp:a3CSekIT+AUNjMFZOGx70
Malware Config
Signatures
-
Drops startup file 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d1a10285383dbf8a2343e4b9c1fc3c.exe"C:\Users\Admin\AppData\Local\Temp\18d1a10285383dbf8a2343e4b9c1fc3c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gO8uT51.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gO8uT51.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4tK193Ap.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4tK193Ap.exe3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5b316244d46d5c6c7fb9ff8e11f147f48
SHA1cda202da3c4957dace154bf838b929f88ab3c2c0
SHA256536a44bb2eafbc19194bda958b07381438e55bc676feedb631c2a8d00025bbd8
SHA5122e421bca838d17c7196fb3443b6099baf36d838019060f49d78299347d48d0f573cda264f19ad75ced3f092ca75ffba1fbc61f3044f43aea7296bea83d13cfcc
-
Filesize
1.5MB
MD5c2111e61e7ba399ef043c265c4215de2
SHA1a7c1289cf1e2ae758d8c1ef409a9b4b8a468da1a
SHA256606bc55fad2b4b1ec117c8df11571f153ac95736e6fcfa8dd8874d88eaa1a48b
SHA5129f972eb5a7725507cef4d8a597d2872466a0883ef58d3c2cf1f5e59379129e9531978c73d1cf07ad47d7877f874af8486e182778b1d3acfbebba60bfb21509de
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
472KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB