e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165

General

Target

e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe
Size

5.3MB
MD5

97f28fc0ad22bd6edb9ab6ef96ded82e
SHA1

fb2797eb0c08c440e0d8dd5c076eb4833f86ce1f
SHA256

e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165
SHA512

0ca7a767bce16c793115036d14a108afc992b2c7418e47885aa5fb710239e97a7cbf35e85a46f8966b9bb48b26eb466439f933d9e1f165dc7530a4741b7c81fd
SSDEEP

98304:dwpbeh4p9ph30bTpDji7yejCO3vtY14TFSbYTrkXkHVC5f9robTL9dm4vlYYph8r:d8p9ph3oTli7HVVNxOO7H45f9UZU4NYz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
208	XRJNZC.exe
4068	XRJNZC.exe
2012	XRJNZC.exe
4328	XRJNZC.exe
2372	XRJNZC.exe
3804	XRJNZC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3676	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4836	timeout.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 4660	1112	e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe	74
PID 1112 wrote to memory of 4660	1112	e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe	74
PID 1112 wrote to memory of 4660	1112	e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe	74
PID 4660 wrote to memory of 4836	4660	cmd.exe	75
PID 4660 wrote to memory of 4836	4660	cmd.exe	75
PID 4660 wrote to memory of 4836	4660	cmd.exe	75
PID 4660 wrote to memory of 208	4660	cmd.exe	76
PID 4660 wrote to memory of 208	4660	cmd.exe	76
PID 4660 wrote to memory of 208	4660	cmd.exe	76
PID 208 wrote to memory of 3676	208	XRJNZC.exe	78
PID 208 wrote to memory of 3676	208	XRJNZC.exe	78
PID 208 wrote to memory of 3676	208	XRJNZC.exe	78

C:\Users\Admin\AppData\Local\Temp\e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe
"C:\Users\Admin\AppData\Local\Temp\e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suw.0.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4836
- - C:\ProgramData\pinterests\XRJNZC.exe
    "C:\ProgramData\pinterests\XRJNZC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
      4⤵
      Creates scheduled task(s)
      PID:3676

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
- Executes dropped EXE
PID:4068

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
- Executes dropped EXE
PID:2012

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
- Executes dropped EXE
PID:4328

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
- Executes dropped EXE
PID:2372

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
- Executes dropped EXE
PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pinterests\XRJNZC.exe

Filesize
2.0MB

MD5
cec1d410c0c8e66629ad994e185e91a8

SHA1
4135355690422bd799e3aa2f3421a3dd519d278d

SHA256
20d82cfb856cbee0c46fe33755fdbe180433c1fd1f6979c0d092e8d8532ce680

SHA512
aa7b85323d10e6d8d727a9c1fd9b88605bb28d8d66d3948cf424bfd61211d53a6addb113918b253c9c3dfa2f7b344232fb074a251f557baec1b6e215700dc569

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
1.4MB

MD5
a68638b87d2d7758eef47e4a7bab2971

SHA1
8fd24e77cef8b82ff448d61b417c3f1b7824831c

SHA256
1ad6558d9ce4f91720df78552a3ea01a6108ff5b3e0de51a9e469ccdf7d6bbd5

SHA512
2cfe2ec0aa7bf60d8bd287acbec0a56e78e3568ffe15a5964e66d8a9a69373249ddd310275e5824ef4db58dbec78c0e43561085a0d5d4c21b37c2916b84c3721

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
301KB

MD5
0885bd4c3d0cc4582134b1b73b48f93e

SHA1
bffcc27ac17f340d6f4bb8a0fe658b9c808bbce9

SHA256
a09901277df0ea086bfceffb795440522c9797c8fedbe3453d33b7de002b6cff

SHA512
0fa90facdd0a672a2bb0e43249d456c68aa89397bf40faa35cd796d4db614f6af3f324d8bfe33eb7dc4e80f456c868b1cda810f002b3bafeb63696f6febafd7e

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
3.2MB

MD5
68b1ef420e7fc45dcad7830dcb806c3c

SHA1
40128f225c6bc209617eb0f760c0fb451e2639a7

SHA256
0cc3aa3f177ef455121988e86d9d1a011ae0c813dbb028062b0c109d89d701ab

SHA512
eec1887b7a0ce7d82f4bc823f4b952ee30a25f469435055bb6002639181d4ed91b05698f9bbc768986689cc2316e21b9b0663d1b97dc7386215ad00a07a407fc

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
5.3MB

MD5
97f28fc0ad22bd6edb9ab6ef96ded82e

SHA1
fb2797eb0c08c440e0d8dd5c076eb4833f86ce1f

SHA256
e8a14fa7733f03765f5c28a02b8057862ffc5d26195f3e717970d648b065a165

SHA512
0ca7a767bce16c793115036d14a108afc992b2c7418e47885aa5fb710239e97a7cbf35e85a46f8966b9bb48b26eb466439f933d9e1f165dc7530a4741b7c81fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\suw.0.bat

Filesize
174B

MD5
42f288f1f69bb5d6970b913bde54c8d7

SHA1
4d32249e8766aa0633f8bd0f1c60e0a1ca570b1e

SHA256
a2cadbb66e1f9ad1949471758aa8938ca633ecacded035a6b2f50937c8119270

SHA512
916db5d8f7d068283e5badff20f94166b8e5e36ca9f8d265e2abbe38d139d19495469b70d1120c74f43799ee33d898084eec438f3b64d9fcfbfccbdffc9485b7

Download Submit
memory/208-16-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download
memory/208-21-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download
memory/1112-5-0x0000000000E80000-0x0000000001885000-memory.dmp

Filesize
10.0MB

Download
memory/1112-0-0x0000000000E80000-0x0000000001885000-memory.dmp

Filesize
10.0MB

Download
memory/2012-32-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download
memory/2012-37-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download
memory/2372-48-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download
memory/2372-53-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download
memory/3804-56-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download
memory/3804-61-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download
memory/4068-29-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download
memory/4068-24-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download
memory/4328-40-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download
memory/4328-45-0x0000000001220000-0x0000000001C25000-memory.dmp

Filesize
10.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads