50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 17:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.7MB
MD5

5e94f0f6265f9e8b2f706f1d46bbd39e
SHA1

d0189cba430f5eea07efe1ab4f89adf5ae2453db
SHA256

50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503
SHA512

473dfa66a36feed9b29a43245074141478327ce22ba7cce512599379dcb783b4d665e2d65c5e9750b988c7ed8f6c3349a7a12d4b8b57c89840eee6ca6e1a30cd
SSDEEP

49152:90oSiZ63YBmS9+rCgpvH8la0ZxRh+caGnj8HEQUhexTUT+1d/2/Tbt:0Ula0cGwXUheabt

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1640	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4592	tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 4836	4592	tmp.exe	84
PID 4592 wrote to memory of 4836	4592	tmp.exe	84
PID 4592 wrote to memory of 4836	4592	tmp.exe	84
PID 4836 wrote to memory of 5636	4836	cmd.exe	86
PID 4836 wrote to memory of 5636	4836	cmd.exe	86
PID 4836 wrote to memory of 5636	4836	cmd.exe	86
PID 4836 wrote to memory of 1640	4836	cmd.exe	87
PID 4836 wrote to memory of 1640	4836	cmd.exe	87
PID 4836 wrote to memory of 1640	4836	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
    3⤵
    - Creates scheduled task(s)
    PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
memory/4592-0-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/4592-4-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4592-6-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads