168d5fbff06d12257f657c74bc03a1b0e760dc8cb591847b6e1b8b10ebfd79bd

Analysis

max time kernel
93s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

22.6MB
MD5

f5997f81b5539a1864d4d73a2157c62c
SHA1

41c9f5f708f5204d280531418a21c94c9282ab00
SHA256

168d5fbff06d12257f657c74bc03a1b0e760dc8cb591847b6e1b8b10ebfd79bd
SHA512

f9ec85432ecae389f08c28a3723fa59e479f827e8ac5b5b4a078a0da425228ba41ea0cc4f42da1c9b8d400dc89322e1ea5976453f5eee51c74754dfcb7f1befa
SSDEEP

393216:+G251FGAsxevJZx3s0KaALRadLxlkux8b++90R5Q:+D1Ftp3nxl8b++90nQ

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2104	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 1624	4992	tmp.exe	90
PID 4992 wrote to memory of 1624	4992	tmp.exe	90
PID 1624 wrote to memory of 2104	1624	cmd.exe	92
PID 1624 wrote to memory of 2104	1624	cmd.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c schtasks /create /xml "C:\testinstal\ScheduledDefrag.xml" /tn "Microsoft\Windows\\Bluetooth\ScheduledDefrag" /RU SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml "C:\testinstal\ScheduledDefrag.xml" /tn "Microsoft\Windows\\Bluetooth\ScheduledDefrag" /RU SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\testinstal\ScheduledDefrag.xml

Filesize
5KB

MD5
ef18724bcaa62986d437b970d5a2e57e

SHA1
0e58cbb621cca7b53cb25c8925f4c3a2dea3b388

SHA256
f4f28a74d250e7f7a6ff0e19c542a48f4e3b8f8e664857395ceb2e265580ea1a

SHA512
afb86b74bab0f9f2cb641115bfbe6621bb94336926921a09a1a4d7ff5dadd038d1f323439a91aaf65a1e58b3e0313941ee66b3c3272f60ebf1435dca25c43c87

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads