3562405dc55d1be005e2f595808893a8a683bd8a85727be6c0f6b2eab2f92f04

General

Target

5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
Size

998KB
MD5

9a942028f55f59560c38677923c7ce6a
SHA1

069cf2b7306f61ac65a4598f519a83dd535325c9
SHA256

5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb
SHA512

e3f0f2d9d97cfa7178d3fd1e12cd35c9b1a5b08e92767389bcf998e428e08e4527fa7b9204941e849a6f28c240c52c57b653777e7620210c5d024dbce0a22eda
SSDEEP

24576:yxWTl+NDnZjbBxcxyGFKjL8kFzzjBh3HrYMY:lpknZHEyGw3t3cz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2896 schtasks.exe

pid	process
2896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exepowershell.exepowershell.exe

pid	process
2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
2616	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp388E.tmp"
2⤵
- Creates scheduled task(s)
PID:2896

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
2⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
2⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
2⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
2⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
2⤵
PID:2520

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp388E.tmp
Filesize
1KB

MD5
b4a83abaf40c073fdf0f953a7e795b33

SHA1
bfa918a3923b0d221898e173905e7d8584940006

SHA256
03c049b5c573060c9f440a6760fca696ad0bc9a2b7042baeb355c692e89a82a7

SHA512
db8358b4de4cf877ce201c7912924af0e70cc160a2fe2757d4e7a184021d2369b400fca534d80b3ff57794a14568b101e0c3c9eb89441f5b1afdba968f160e0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
67ad509a38e7313dfe1f4e930f92991a

SHA1
f0e0d5ed5545e18ee800acfa5e411e95b02ca011

SHA256
1598c967acdac51b5189d2dfd28962104e04bac45f9b5e80353028b26fdcee5b

SHA512
3f014d2ec41eca6ff3bc45a1b6daaa0ba1346ee57fed0b0ba0b9fa00d2f9ef6f3718e887b50106c20f6510475b5bd481c2285cbd50ebeb51edbea0c6866f065a

Download Submit
memory/2044-19-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-4-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2044-5-0x0000000005440000-0x0000000005500000-memory.dmp

Filesize
768KB

Download
memory/2044-2-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/2044-1-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-0-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-3-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/2616-24-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2616-28-0x000000006EBE0000-0x000000006F18B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-20-0x000000006EBE0000-0x000000006F18B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-26-0x000000006EBE0000-0x000000006F18B000-memory.dmp

Filesize
5.7MB

Download
memory/2736-21-0x0000000002A60000-0x0000000002AA0000-memory.dmp

Filesize
256KB

Download
memory/2736-23-0x0000000002A60000-0x0000000002AA0000-memory.dmp

Filesize
256KB

Download
memory/2736-25-0x0000000002A60000-0x0000000002AA0000-memory.dmp

Filesize
256KB

Download
memory/2736-22-0x000000006EBE0000-0x000000006F18B000-memory.dmp

Filesize
5.7MB

Download
memory/2736-18-0x000000006EBE0000-0x000000006F18B000-memory.dmp

Filesize
5.7MB

Download
memory/2736-27-0x000000006EBE0000-0x000000006F18B000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 2044 wrote to memory of 2616	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	powershell.exe
PID 2044 wrote to memory of 2616	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	powershell.exe
PID 2044 wrote to memory of 2616	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	powershell.exe
PID 2044 wrote to memory of 2616	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	powershell.exe
PID 2044 wrote to memory of 2736	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	powershell.exe
PID 2044 wrote to memory of 2736	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	powershell.exe
PID 2044 wrote to memory of 2736	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	powershell.exe
PID 2044 wrote to memory of 2736	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	powershell.exe
PID 2044 wrote to memory of 2896	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	schtasks.exe
PID 2044 wrote to memory of 2896	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	schtasks.exe
PID 2044 wrote to memory of 2896	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	schtasks.exe
PID 2044 wrote to memory of 2896	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	schtasks.exe
PID 2044 wrote to memory of 2524	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2524	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2524	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2524	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2544	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2544	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2544	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2544	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2592	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2592	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2592	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2592	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2880	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2880	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2880	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2880	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2520	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2520	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2520	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2044 wrote to memory of 2520	2044	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe	5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads