a1a75a717953ccb8afbdba7f5dae113dba630c6c90820f927f41d28782ed483b

General

Target

a1a75a717953ccb8afbdba7f5dae113dba630c6c90820f927f41d28782ed483b.exe
Size

6.3MB
MD5

4a4f67492c758b1b02984f0f767b73ae
SHA1

693c0ab10732f313f563d67146907f54e4935c3d
SHA256

a1a75a717953ccb8afbdba7f5dae113dba630c6c90820f927f41d28782ed483b
SHA512

2908cba458b21ea19181ffbfe91953d243e7f2b32410dc66f2b5ece7fb6e6e81c5df3112974269b2a54437199359d82784ccfd251e2969f0df8db86294dd9c86
SSDEEP

98304:DesN0L5nGC09I1dIWGiyY3ZxUdSxAQ5EEXZtvLj1/fwGNPfBKlSvZpNDZo4Vl:DeP5GC0u1iWGrUZdBfvP1nhPfsExbD/j

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2468	XRJNZC.exe
2428	XRJNZC.exe
452	XRJNZC.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	cmd.exe
3040	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1796	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2688	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2360	a1a75a717953ccb8afbdba7f5dae113dba630c6c90820f927f41d28782ed483b.exe
2360	a1a75a717953ccb8afbdba7f5dae113dba630c6c90820f927f41d28782ed483b.exe
2468	XRJNZC.exe
2468	XRJNZC.exe
2428	XRJNZC.exe
2428	XRJNZC.exe
452	XRJNZC.exe
452	XRJNZC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3040	2360	a1a75a717953ccb8afbdba7f5dae113dba630c6c90820f927f41d28782ed483b.exe	30
PID 2360 wrote to memory of 3040	2360	a1a75a717953ccb8afbdba7f5dae113dba630c6c90820f927f41d28782ed483b.exe	30
PID 2360 wrote to memory of 3040	2360	a1a75a717953ccb8afbdba7f5dae113dba630c6c90820f927f41d28782ed483b.exe	30
PID 2360 wrote to memory of 3040	2360	a1a75a717953ccb8afbdba7f5dae113dba630c6c90820f927f41d28782ed483b.exe	30
PID 3040 wrote to memory of 2688	3040	cmd.exe	28
PID 3040 wrote to memory of 2688	3040	cmd.exe	28
PID 3040 wrote to memory of 2688	3040	cmd.exe	28
PID 3040 wrote to memory of 2688	3040	cmd.exe	28
PID 3040 wrote to memory of 2468	3040	cmd.exe	31
PID 3040 wrote to memory of 2468	3040	cmd.exe	31
PID 3040 wrote to memory of 2468	3040	cmd.exe	31
PID 3040 wrote to memory of 2468	3040	cmd.exe	31
PID 2468 wrote to memory of 1796	2468	XRJNZC.exe	33
PID 2468 wrote to memory of 1796	2468	XRJNZC.exe	33
PID 2468 wrote to memory of 1796	2468	XRJNZC.exe	33
PID 2468 wrote to memory of 1796	2468	XRJNZC.exe	33
PID 1792 wrote to memory of 2428	1792	taskeng.exe	35
PID 1792 wrote to memory of 2428	1792	taskeng.exe	35
PID 1792 wrote to memory of 2428	1792	taskeng.exe	35
PID 1792 wrote to memory of 2428	1792	taskeng.exe	35
PID 1792 wrote to memory of 452	1792	taskeng.exe	38
PID 1792 wrote to memory of 452	1792	taskeng.exe	38
PID 1792 wrote to memory of 452	1792	taskeng.exe	38
PID 1792 wrote to memory of 452	1792	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\a1a75a717953ccb8afbdba7f5dae113dba630c6c90820f927f41d28782ed483b.exe
"C:\Users\Admin\AppData\Local\Temp\a1a75a717953ccb8afbdba7f5dae113dba630c6c90820f927f41d28782ed483b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\s1tk.0.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\ProgramData\pinterests\XRJNZC.exe
    "C:\ProgramData\pinterests\XRJNZC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
      4⤵
      Creates scheduled task(s)
      PID:1796

C:\Windows\SysWOW64\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2688

C:\Windows\system32\taskeng.exe
taskeng.exe {7AC475E2-B263-4671-A60C-EF2F93836E0D} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pinterests\XRJNZC.exe

Filesize
217KB

MD5
a41c06d49c01051838820d90c0a34b09

SHA1
859181318376f72c1bc461183fdcf70f17fc2cc6

SHA256
8c60ac665c92e60d5424a71314ac2ad3e937c5fefd637398812096f5e60641b9

SHA512
bd9de96b2c725d6033dd6d99369800f289558a4dad0fac679b1c8c155cc5d2553dc903b586e2b326829af1cc222038def8196c427b66e2c69a26af0f5e51fe8b

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
894KB

MD5
655bf57bc20639f4b001ea278f217f3a

SHA1
ef5b6bf2f00da56a450af3401521c44ae5928004

SHA256
6c18b117020bcbed3a5d56e4844bd8e47c6372091f56a8d6ccbaf45c2b993e9f

SHA512
bff35ce0e1cc2ebb88dc6473f397095270ec6d31b703e8fc54899132fffb6303a6094c0bcdafbb852f741641baf9cebeef014b115f55116b92e708f5deca2b98

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
92KB

MD5
89e633f75fd8121226bf2ac7c3b82464

SHA1
e95cec1986796527c887bcd2a5d8177990601eba

SHA256
47bf7f9a6a49a69dc64343c50ef40dd64016182ef94fc7f1f4651613a291b0c7

SHA512
76f2fa461b13044c316e9ea2e86f4c9a342ed21b22e145935cd4d2019af8900c56b7bbe8b195ebfa5d3993191e9114b915567b5795365020d89371e110b40791

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1tk.0.bat

Filesize
176B

MD5
0083a11c766d67254042b2978be588a5

SHA1
31d9c0aa6297a4eff12298dcd5c8b259f72a28cf

SHA256
5cd95d21c6a9950e6a4d602b12570dd0ecce5d0b2801aa3fd6e0cbe406e178d5

SHA512
f08c988ebcc04c9b63758e4af8054671b8e34890646fd0e0c3893c6137f5cd5fc4570fe53487c70fda0305c17e77d223bd140c2ea6f4c8f5ce995576396873da

Download Submit
\ProgramData\pinterests\XRJNZC.exe

Filesize
386KB

MD5
8b5aa311253d94171a33f3ba9dc5ffe2

SHA1
96bf4b7c64774625c34439a44e85425bdf8651aa

SHA256
fadec8881f52efaff7250472bafc613e2d9de506fc30fa55befe5bb1fe909ba6

SHA512
a864cbc80100ece69a094f0961537b7fd98a71ed3bf0146810c10ca0d3fe40d9bbd041aecb77211e012454c757e919cdf7933fcfae4640ff420116fdd230b9d7

Download Submit
\ProgramData\pinterests\XRJNZC.exe

Filesize
381KB

MD5
d16ad5912fabc5324da3c674a42c3910

SHA1
819badb6064ff13c4987f05807199a1c22a743df

SHA256
ce5a22ee16a1c6a10192e29f862d7978211077d6f2632a5c96dd8e2d49e46ba7

SHA512
fc3ca767c0cb25a07932d389545c5e22bf0110b4cbf863af038a43c24dd0664e5aef1d91b680ae5a4031e5165ba84b82c5b4fdceea76189ca754ef966ea22cdf

Download Submit
memory/452-176-0x0000000000D60000-0x000000000193A000-memory.dmp

Filesize
11.9MB

Download
memory/452-145-0x0000000000D60000-0x000000000193A000-memory.dmp

Filesize
11.9MB

Download
memory/2360-23-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2360-11-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2360-25-0x0000000000F10000-0x0000000001AEA000-memory.dmp

Filesize
11.9MB

Download
memory/2360-26-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2360-29-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2360-31-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2360-34-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2360-36-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2360-50-0x0000000000F10000-0x0000000001AEA000-memory.dmp

Filesize
11.9MB

Download
memory/2360-15-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2360-18-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2360-20-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2360-13-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2360-0-0x0000000000F10000-0x0000000001AEA000-memory.dmp

Filesize
11.9MB

Download
memory/2360-6-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2360-8-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2360-10-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2428-104-0x0000000000D60000-0x000000000193A000-memory.dmp

Filesize
11.9MB

Download
memory/2428-135-0x0000000000D60000-0x000000000193A000-memory.dmp

Filesize
11.9MB

Download
memory/2468-81-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2468-79-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2468-76-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2468-74-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2468-71-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2468-94-0x0000000000D60000-0x000000000193A000-memory.dmp

Filesize
11.9MB

Download
memory/2468-68-0x0000000000D60000-0x000000000193A000-memory.dmp

Filesize
11.9MB

Download
memory/2468-65-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2468-55-0x0000000000D60000-0x000000000193A000-memory.dmp

Filesize
11.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads