74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde

General

Target

74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
Size

1017KB
MD5

35c7bcd728b39a9a3195b5fcf01aa796
SHA1

e3b0f50930786ae6a63bae1c25ca7dad5a9c84bd
SHA256

74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde
SHA512

71fa1a8c4678b0897180e652dac0229401c129d051089b884a655cbdf91d2ba331401ba29df19035bb8fa0c6a663222e986b72ad13ed11fcd387a95c4477ba5d
SSDEEP

12288:pmYj5zRYzJ4LbYeq8MSKh7vmgYwafGzOygGGBzi5OznC0kHEhCu:pdj5zezJ4g58MDvYwaOzpM12KCu

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2564 schtasks.exe

pid	process
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exepowershell.exepowershell.exe

pid	process
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
2516	powershell.exe
2692	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe

C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
"C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WijfyTL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WijfyTL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC7A3.tmp"
2⤵
- Creates scheduled task(s)
PID:2564

C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
"C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe"
2⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
"C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe"
2⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
"C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe"
2⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
"C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe"
2⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
"C:\Users\Admin\AppData\Local\Temp\74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe"
2⤵
PID:2520

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC7A3.tmp
Filesize
1KB

MD5
57021bda6eb06755582f5a25be0d0a73

SHA1
b4b8a033514d4c898701717333ae4fffc9b6aa4a

SHA256
feed4c689ab57cd3022c13ae479870850cc3410a70d3f8a8ab193a6e46f36964

SHA512
3acd94a7d72a3efb385ed8174b249b135e2a45d2561e6483890470e255a1189fea4a96bdf4d62e0bf8f64fa492c15221edd6fedd2ea6640cf8735d659b31f464

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4c86c818b7fbf623bc5b5e4afcb24726

SHA1
c12f9f0b3842607d85201da3c7833d8067ee7161

SHA256
f979109325129b614b150b4c0fdf9ba4dff50e9fc2cd7bccb431735a4ef7f16a

SHA512
11d120468681fe08147f11499a437d6e6e7f34aafc7cbb38d8a51bf6f450720e2a4fcc7bc0986a069744777dda3a6408f2bd78e0862f41831a22620445d5113c

Download Submit
memory/2516-28-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-27-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2516-24-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2516-23-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-21-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2516-19-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-25-0x00000000023C0000-0x0000000002400000-memory.dmp

Filesize
256KB

Download
memory/2692-20-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-22-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-26-0x00000000023C0000-0x0000000002400000-memory.dmp

Filesize
256KB

Download
memory/2692-29-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-18-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-6-0x0000000004050000-0x00000000040FC000-memory.dmp

Filesize
688KB

Download
memory/2772-5-0x00000000009F0000-0x0000000000A04000-memory.dmp

Filesize
80KB

Download
memory/2772-4-0x00000000007D0000-0x00000000007DE000-memory.dmp

Filesize
56KB

Download
memory/2772-0-0x0000000000370000-0x0000000000474000-memory.dmp

Filesize
1.0MB

Download
memory/2772-3-0x0000000000480000-0x0000000000498000-memory.dmp

Filesize
96KB

Download
memory/2772-2-0x0000000004440000-0x0000000004480000-memory.dmp

Filesize
256KB

Download
memory/2772-1-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 2772 wrote to memory of 2516	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	powershell.exe
PID 2772 wrote to memory of 2516	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	powershell.exe
PID 2772 wrote to memory of 2516	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	powershell.exe
PID 2772 wrote to memory of 2516	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	powershell.exe
PID 2772 wrote to memory of 2692	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	powershell.exe
PID 2772 wrote to memory of 2692	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	powershell.exe
PID 2772 wrote to memory of 2692	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	powershell.exe
PID 2772 wrote to memory of 2692	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	powershell.exe
PID 2772 wrote to memory of 2564	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	schtasks.exe
PID 2772 wrote to memory of 2564	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	schtasks.exe
PID 2772 wrote to memory of 2564	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	schtasks.exe
PID 2772 wrote to memory of 2564	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	schtasks.exe
PID 2772 wrote to memory of 2544	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2544	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2544	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2544	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2580	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2580	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2580	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2580	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2572	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2572	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2572	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2572	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2456	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2456	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2456	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2456	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2520	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2520	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2520	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe
PID 2772 wrote to memory of 2520	2772	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe	74a7dbf3da213ddbc93bae4a78b29282ad0b1ae0882deddf8a8df553c3f02bde.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads