Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-02-2024 06:46
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240221-en
General
-
Target
tmp.exe
-
Size
22.6MB
-
MD5
f5997f81b5539a1864d4d73a2157c62c
-
SHA1
41c9f5f708f5204d280531418a21c94c9282ab00
-
SHA256
168d5fbff06d12257f657c74bc03a1b0e760dc8cb591847b6e1b8b10ebfd79bd
-
SHA512
f9ec85432ecae389f08c28a3723fa59e479f827e8ac5b5b4a078a0da425228ba41ea0cc4f42da1c9b8d400dc89322e1ea5976453f5eee51c74754dfcb7f1befa
-
SSDEEP
393216:+G251FGAsxevJZx3s0KaALRadLxlkux8b++90R5Q:+D1Ftp3nxl8b++90nQ
Malware Config
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2568 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2608 3032 tmp.exe 29 PID 3032 wrote to memory of 2608 3032 tmp.exe 29 PID 3032 wrote to memory of 2608 3032 tmp.exe 29 PID 2608 wrote to memory of 2568 2608 cmd.exe 31 PID 2608 wrote to memory of 2568 2608 cmd.exe 31 PID 2608 wrote to memory of 2568 2608 cmd.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\cmd.exe"cmd.exe" /c schtasks /create /xml "C:\testinstal\ScheduledDefrag.xml" /tn "Microsoft\Windows\\Bluetooth\ScheduledDefrag" /RU SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\schtasks.exeschtasks /create /xml "C:\testinstal\ScheduledDefrag.xml" /tn "Microsoft\Windows\\Bluetooth\ScheduledDefrag" /RU SYSTEM3⤵
- Creates scheduled task(s)
PID:2568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5ef18724bcaa62986d437b970d5a2e57e
SHA10e58cbb621cca7b53cb25c8925f4c3a2dea3b388
SHA256f4f28a74d250e7f7a6ff0e19c542a48f4e3b8f8e664857395ceb2e265580ea1a
SHA512afb86b74bab0f9f2cb641115bfbe6621bb94336926921a09a1a4d7ff5dadd038d1f323439a91aaf65a1e58b3e0313941ee66b3c3272f60ebf1435dca25c43c87