dbe6359af1e119c871d0811f321e2ee4044eaf6ec65c68623937d096c197fe8c

General

Target

54632e7d37d3142474baff846284247d.exe
Size

812KB
MD5

54632e7d37d3142474baff846284247d
SHA1

dfd39606a2dce9ffe5887f494d2cba0ee3c8bd22
SHA256

dbe6359af1e119c871d0811f321e2ee4044eaf6ec65c68623937d096c197fe8c
SHA512

0679ef0eb7b973cef0ebb94bc4e8b0eaf2e5a9ef587b4c54fe81dc984d762bda60266ba83da24bbd5cf9f42110f78b7850e3e4a5cdec8c88037734bf5ccd95ee
SSDEEP

12288:2Pp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvXMpJXfXUy/Wj:2Dpjtacljjy4OyJC+Ah+yFQzHm2G

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2724	54632e7d37d3142474baff846284247d.exe
2724	54632e7d37d3142474baff846284247d.exe
2724	54632e7d37d3142474baff846284247d.exe
2724	54632e7d37d3142474baff846284247d.exe
2724	54632e7d37d3142474baff846284247d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	54632e7d37d3142474baff846284247d.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2680	2724	54632e7d37d3142474baff846284247d.exe	34
PID 2724 wrote to memory of 2680	2724	54632e7d37d3142474baff846284247d.exe	34
PID 2724 wrote to memory of 2680	2724	54632e7d37d3142474baff846284247d.exe	34
PID 2724 wrote to memory of 2680	2724	54632e7d37d3142474baff846284247d.exe	34
PID 2724 wrote to memory of 2584	2724	54632e7d37d3142474baff846284247d.exe	32
PID 2724 wrote to memory of 2584	2724	54632e7d37d3142474baff846284247d.exe	32
PID 2724 wrote to memory of 2584	2724	54632e7d37d3142474baff846284247d.exe	32
PID 2724 wrote to memory of 2584	2724	54632e7d37d3142474baff846284247d.exe	32
PID 2724 wrote to memory of 2816	2724	54632e7d37d3142474baff846284247d.exe	31
PID 2724 wrote to memory of 2816	2724	54632e7d37d3142474baff846284247d.exe	31
PID 2724 wrote to memory of 2816	2724	54632e7d37d3142474baff846284247d.exe	31
PID 2724 wrote to memory of 2816	2724	54632e7d37d3142474baff846284247d.exe	31
PID 2724 wrote to memory of 2468	2724	54632e7d37d3142474baff846284247d.exe	30
PID 2724 wrote to memory of 2468	2724	54632e7d37d3142474baff846284247d.exe	30
PID 2724 wrote to memory of 2468	2724	54632e7d37d3142474baff846284247d.exe	30
PID 2724 wrote to memory of 2468	2724	54632e7d37d3142474baff846284247d.exe	30
PID 2724 wrote to memory of 2720	2724	54632e7d37d3142474baff846284247d.exe	29
PID 2724 wrote to memory of 2720	2724	54632e7d37d3142474baff846284247d.exe	29
PID 2724 wrote to memory of 2720	2724	54632e7d37d3142474baff846284247d.exe	29
PID 2724 wrote to memory of 2720	2724	54632e7d37d3142474baff846284247d.exe	29
PID 2724 wrote to memory of 2812	2724	54632e7d37d3142474baff846284247d.exe	28
PID 2724 wrote to memory of 2812	2724	54632e7d37d3142474baff846284247d.exe	28
PID 2724 wrote to memory of 2812	2724	54632e7d37d3142474baff846284247d.exe	28
PID 2724 wrote to memory of 2812	2724	54632e7d37d3142474baff846284247d.exe	28

C:\Users\Admin\AppData\Local\Temp\54632e7d37d3142474baff846284247d.exe
"C:\Users\Admin\AppData\Local\Temp\54632e7d37d3142474baff846284247d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\54632e7d37d3142474baff846284247d.exe
  "{path}"
  2⤵
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\54632e7d37d3142474baff846284247d.exe
  "{path}"
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\54632e7d37d3142474baff846284247d.exe
  "{path}"
  2⤵
  PID:2468
- C:\Users\Admin\AppData\Local\Temp\54632e7d37d3142474baff846284247d.exe
  "{path}"
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\54632e7d37d3142474baff846284247d.exe
  "{path}"
  2⤵
  PID:2584
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BOZtQE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp86BD.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp86BD.tmp

Filesize
1KB

MD5
8b023b9beee9ff35973e5572cc6e4cfc

SHA1
f3e5758dc53b116e5eca792b3dc3fbf66ce4a2a5

SHA256
15a4d0430c66ce152377a8db078563459f49d1ac07e5bd1f0c43231269a0eafa

SHA512
ef4bac70cff6b749cd14441961d05690bb86feb214010c89444f9534664597483bb111a1cba2e2ae4ed5ff0ca0c47a7b24c08b8c05f073f50bbfd8303825db5a

Download Submit
memory/2724-0-0x0000000000380000-0x0000000000452000-memory.dmp

Filesize
840KB

Download
memory/2724-1-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-2-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/2724-3-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/2724-4-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-5-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/2724-6-0x0000000008080000-0x000000000813C000-memory.dmp

Filesize
752KB

Download
memory/2724-7-0x0000000007FB0000-0x0000000008062000-memory.dmp

Filesize
712KB

Download
memory/2724-11-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads