df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942

General

Target

df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe
Size

5.3MB
MD5

39e32d837675e3e6b6c91f53e9d83416
SHA1

cfce02330065e0660d47bc35c577d56b79a4a45d
SHA256

df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942
SHA512

0a9096ec243ad0b27c07ff48dafd5dbd90d94a44774c27bc1251270b216cded254489498bb8fc90b9a21edd04805137a31fcdd688f1083d23653ad749029811c
SSDEEP

98304:8aDQcPKHyi8lyJjrpij1onXLynPheXgQeWF4pTttT1+Z0wVpDUw8Gx6GjYuOd7Sj:nZWyHgJJij1WOPwXgQe4KRwVpAJbGcuP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1212	XRJNZC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5036	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1896	timeout.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 1360	3232	df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe	32
PID 3232 wrote to memory of 1360	3232	df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe	32
PID 3232 wrote to memory of 1360	3232	df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe	32
PID 1360 wrote to memory of 1896	1360	cmd.exe	31
PID 1360 wrote to memory of 1896	1360	cmd.exe	31
PID 1360 wrote to memory of 1896	1360	cmd.exe	31
PID 1360 wrote to memory of 1212	1360	cmd.exe	77
PID 1360 wrote to memory of 1212	1360	cmd.exe	77
PID 1360 wrote to memory of 1212	1360	cmd.exe	77
PID 1212 wrote to memory of 5036	1212	XRJNZC.exe	78
PID 1212 wrote to memory of 5036	1212	XRJNZC.exe	78
PID 1212 wrote to memory of 5036	1212	XRJNZC.exe	78

C:\Users\Admin\AppData\Local\Temp\df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe
"C:\Users\Admin\AppData\Local\Temp\df921c15d52a443bbe0555b78a0b077b05fef1f5ac2bf79cc9c1660d25f92942.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s2hs.0.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\ProgramData\pinterests\XRJNZC.exe
    "C:\ProgramData\pinterests\XRJNZC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
      4⤵
      Creates scheduled task(s)
      PID:5036

C:\Windows\SysWOW64\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:1896

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:1852

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:4064

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:3288

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:3260

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pinterests\XRJNZC.exe

Filesize
18KB

MD5
28229b88040f9ec2f59db255c2dd0fab

SHA1
072a51567cc6d5958bf901c46bd4d9838462001a

SHA256
f9d7b8d391e4c8409b5af7c1a3fbd383fbf191995799cc3e38fe4182a9ba6923

SHA512
45d10a8accbb4591eef4f00bee9913ff16fec85a26f6ba67ac8cb62d7f0c783bf00731373598fbba6742bb2410d831cb707889bda95a5601fab594afa4b86784

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
59KB

MD5
e419a9180d850fb8a0a925c615f88935

SHA1
d5c1d8d93b977b1eb0d66c388a75ddbc077b594c

SHA256
014ef431f0606d3edf8eb132cbc68ef618fe41759f21035fca1b8604f094e840

SHA512
9a3f2e80539e868099af3d80ad539ce3a4fcae636420549d84efeb23e3d67d5e2df2d022a2b1b36fe5b4bda1fbd22c43db1a8924df8d5805d8c9643fc81b63c8

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
76KB

MD5
f681b658fb468adb2a430fa155c4b6ac

SHA1
e231e1669285b2e323f1be77f0251fd2c0ea8cda

SHA256
e37110dc87ab5595787aac9cec4fe21d7e0d7744f53bfa2c19c1b53d4a5e348b

SHA512
3b676b55ea13d94b526dd6fdda14601451280dd5e59a9048f53dc148c52b49c918406120d18e86b2dc083cdb1eb257dc0c3a51d7a9eb6a8b251185eac14b3866

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
4KB

MD5
d0e4c1126a4488e40c8eb66dcaa06676

SHA1
7a713ea41f621839016b13e6d8ca06f9821de865

SHA256
2cc0052a49aa186a931fb46dfa3ab31a69204148385237aa51acd5567765ef97

SHA512
5e91e771ef3b6d9cc1d1da8065a69d4aa435891e6e29fe1ef185a80594c3bafd4f371765b4c6e999bca6e5847de96495fcc5245233db4a7f997cb413b7bf08a0

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
39KB

MD5
213e60398c5999145357226f3946cbd9

SHA1
3a482a47c5486f31d93ee971606a4889d2152150

SHA256
23638bf668ccbeb9f0c14c4edf24bf94805a1e83a2a32d6850bccbef4ced1433

SHA512
6dc98cc432e04983fbc06fdf6499bb6187d2c853d1140918b6349d65230d24070186d245f295458f4939c1a13cad09250c5e9396dcda7b3c4ab89405f577f9d6

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
2KB

MD5
101e868eac77072fbbe6c38cb366a7d6

SHA1
ae5057a3a11fd9db15d8e54e96066c16ed26f676

SHA256
d733a792cf3e4f47f333986b735116a5dfaac8cb0a679f0dd658897874ddb222

SHA512
4533fa420903dad9a80faca892c3efd026f81dec9c1c022da9f9ade300b2a8136146faeb9a3e1becf4109cbd3d7a9757b12a2319389022f0478e1932bedef11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2hs.0.bat

Filesize
176B

MD5
33f2600c876cd6d8b1ccf4b6928e29ad

SHA1
914db322ececbaf057987a7bbe5b70df3e8c94eb

SHA256
c59a72349480955d41ba0387bac6a588a83f01e1a6d8be4c59b52a68b4635433

SHA512
4de91f885bd9a23eca0bc273aa5fd7d95e181666d621e0e6382f73ad3129e917b3daeb65b9fa4e89b369086923dc085b158971f7368c3903df8e66bc14a62a49

Download Submit
memory/1212-16-0x0000000000900000-0x000000000137C000-memory.dmp

Filesize
10.5MB

Download
memory/1212-21-0x0000000000900000-0x000000000137C000-memory.dmp

Filesize
10.5MB

Download
memory/1852-29-0x0000000000900000-0x000000000137C000-memory.dmp

Filesize
10.5MB

Download
memory/1852-24-0x0000000000900000-0x000000000137C000-memory.dmp

Filesize
10.5MB

Download
memory/3232-0-0x0000000001100000-0x0000000001B7C000-memory.dmp

Filesize
10.5MB

Download
memory/3232-5-0x0000000001100000-0x0000000001B7C000-memory.dmp

Filesize
10.5MB

Download
memory/3260-48-0x0000000000900000-0x000000000137C000-memory.dmp

Filesize
10.5MB

Download
memory/3260-53-0x0000000000900000-0x000000000137C000-memory.dmp

Filesize
10.5MB

Download
memory/3288-40-0x0000000000900000-0x000000000137C000-memory.dmp

Filesize
10.5MB

Download
memory/3288-45-0x0000000000900000-0x000000000137C000-memory.dmp

Filesize
10.5MB

Download
memory/4064-32-0x0000000000900000-0x000000000137C000-memory.dmp

Filesize
10.5MB

Download
memory/4064-37-0x0000000000900000-0x000000000137C000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads