Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 14:11

General

  • Target

    8c875d52a2ae6452ffe4d3437c916346.exe

  • Size

    262KB

  • MD5

    8c875d52a2ae6452ffe4d3437c916346

  • SHA1

    a8761f0a13f8eb04c8c43820b747340340a896d0

  • SHA256

    3c876e9284562cf9374ba6384a2073aa1043c6dd2be0b0fb9d1075ebb9a84e6c

  • SHA512

    2845291eede1080b9d6ee15ab195212f1253b76ef7fef0a58584db673ecd14e78dded855d336e20349abfa2c9c131e0b93c5d2619e6359054bc8520308bf1ffe

  • SSDEEP

    3072:4LbY/xvmYCOU2+GxOuyKNLRZqExzUNeFbb1EjQIsUBz65/M6If+3Js+3JFkKeTn:4LpGkKxRniIbbKBxBt25

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe
    "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /tn NYANP /F
      2⤵
        PID:2892
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 5
        2⤵
        • Creates scheduled task(s)
        PID:1380
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Delete /tn NYAN /F
        2⤵
          PID:5072
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 1
          2⤵
          • Creates scheduled task(s)
          PID:4896
      • C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe
        C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /tn NYANP /F
          2⤵
            PID:3928
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 5
            2⤵
            • Creates scheduled task(s)
            PID:1096
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /tn NYAN /F
            2⤵
              PID:3584
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 1
              2⤵
              • Creates scheduled task(s)
              PID:3208
          • C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe
            C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1336
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Delete /tn NYANP /F
              2⤵
                PID:1676
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 5
                2⤵
                • Creates scheduled task(s)
                PID:2764
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /Delete /tn NYAN /F
                2⤵
                  PID:4696
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 1
                  2⤵
                  • Creates scheduled task(s)
                  PID:1272

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\8c875d52a2ae6452ffe4d3437c916346.exe.log

                      Filesize

                      408B

                      MD5

                      40b0c3caa1b14a4c83e8475c46bf2016

                      SHA1

                      af9575cda4d842f028d18b17063796a894ecd9d0

                      SHA256

                      70e88a428d92b6ab5905dac9f324824c4c6f120bc3f385c82b2d12f707a4a867

                      SHA512

                      916437df737de4b6063b7116b4d148229d4a975eb4046122d47434b81fba06e88e09e5f273ec496c81ef3feecb843ccad20a7a04074224416c1fa9951acbdac7

                    • memory/1336-21-0x0000000074FE0000-0x0000000075591000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/1336-20-0x00000000010A0000-0x00000000010B0000-memory.dmp

                      Filesize

                      64KB

                    • memory/1336-19-0x00000000010A0000-0x00000000010B0000-memory.dmp

                      Filesize

                      64KB

                    • memory/1336-18-0x0000000074FE0000-0x0000000075591000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/1336-17-0x00000000010A0000-0x00000000010B0000-memory.dmp

                      Filesize

                      64KB

                    • memory/1336-16-0x0000000074FE0000-0x0000000075591000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/2300-10-0x0000000074FE0000-0x0000000075591000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/2300-11-0x0000000074FE0000-0x0000000075591000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/2300-14-0x0000000074FE0000-0x0000000075591000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/2300-12-0x0000000001030000-0x0000000001040000-memory.dmp

                      Filesize

                      64KB

                    • memory/3232-7-0x0000000001020000-0x0000000001030000-memory.dmp

                      Filesize

                      64KB

                    • memory/3232-0-0x0000000074FE0000-0x0000000075591000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/3232-9-0x0000000001020000-0x0000000001030000-memory.dmp

                      Filesize

                      64KB

                    • memory/3232-8-0x0000000001020000-0x0000000001030000-memory.dmp

                      Filesize

                      64KB

                    • memory/3232-6-0x0000000074FE0000-0x0000000075591000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/3232-5-0x0000000074FE0000-0x0000000075591000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/3232-4-0x0000000001020000-0x0000000001030000-memory.dmp

                      Filesize

                      64KB

                    • memory/3232-3-0x0000000001020000-0x0000000001030000-memory.dmp

                      Filesize

                      64KB

                    • memory/3232-2-0x0000000001020000-0x0000000001030000-memory.dmp

                      Filesize

                      64KB

                    • memory/3232-1-0x0000000074FE0000-0x0000000075591000-memory.dmp

                      Filesize

                      5.7MB