447a62c7e29e2da85884b6e4aea80aca2cc5ba86694733ca397a2c8ba0f8e197

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libcef.dll
Size

706KB
MD5

dc14860a39efddfc056daa85cdcc1a50
SHA1

51b96037de1c411aaad4a13a89eb79f1b84c076a
SHA256

a54152723492d3efd9e2fbf64d6d8599766962d001cc0f21450bfa956862fbf4
SHA512

8719b1a95dfb891f3f1b2c379ab8d29bb4568f40c704ddfe8e6b866352957242ace554251c53929c8835d85dd70eb5d77dd343794957b9d1c65eae34cc64daf8
SSDEEP

12288:DKoqU6uTPHiRhH+q8liExRaEqVxwzvAIuh1XeqEU:DS+q8rMVxwzvmKU

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
312	schtasks.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2220	1244	rundll32.exe	28
PID 1244 wrote to memory of 2220	1244	rundll32.exe	28
PID 1244 wrote to memory of 2220	1244	rundll32.exe	28
PID 1244 wrote to memory of 2220	1244	rundll32.exe	28
PID 1244 wrote to memory of 2220	1244	rundll32.exe	28
PID 1244 wrote to memory of 2220	1244	rundll32.exe	28
PID 1244 wrote to memory of 2220	1244	rundll32.exe	28
PID 2220 wrote to memory of 312	2220	rundll32.exe	29
PID 2220 wrote to memory of 312	2220	rundll32.exe	29
PID 2220 wrote to memory of 312	2220	rundll32.exe	29
PID 2220 wrote to memory of 312	2220	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcef.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcef.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 2 /tn "TimeCheck" /tr "C:\Users\Public\Documents\WorkstationPro.exe"
    3⤵
    - Creates scheduled task(s)
    PID:312

C:\Windows\system32\taskeng.exe
taskeng.exe {5DF3FA0B-2F87-4F2D-B035-1DC3A69BC330} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads