be9880ef9ccc6b51f6e22e21884bf7092da435c96a072bd9e9515eb88b7c6bd5

General

Target

ec3e0e37a0706e727186ef4a1d338b48.exe
Size

474KB
MD5

ec3e0e37a0706e727186ef4a1d338b48
SHA1

549d90919104da57c9ed2e6cbc3d4a654b32162b
SHA256

be9880ef9ccc6b51f6e22e21884bf7092da435c96a072bd9e9515eb88b7c6bd5
SHA512

6010946af214b0015b899f1fb1086a66a0e5d0851a35256f3294ea92e3557912cd129569220c69a4f593db37ad9027c3c7c297f904965ea9cc2e8af61a7a0862
SSDEEP

6144:hxxxVzbfkDOMpkMQ2S/YUa/fdchxRhu9X:hxxYtB8//acRuX

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

WindowsLibrary.exeWindowsLibrary.exe

pid process

3200 WindowsLibrary.exe
5008 WindowsLibrary.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHtAsKs.EXeSCHtAsKs.EXeSCHtAsKs.EXeSCHtAsKs.EXe

pid process

3476 SCHtAsKs.EXe
4436 SCHtAsKs.EXe
3176 SCHtAsKs.EXe
3844 SCHtAsKs.EXe

pid	process
3200	WindowsLibrary.exe
5008	WindowsLibrary.exe

pid	process
3476	SCHtAsKs.EXe
4436	SCHtAsKs.EXe
3176	SCHtAsKs.EXe
3844	SCHtAsKs.EXe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ec3e0e37a0706e727186ef4a1d338b48.exeWindowsLibrary.exeWindowsLibrary.exe

pid	process
456	ec3e0e37a0706e727186ef4a1d338b48.exe
456	ec3e0e37a0706e727186ef4a1d338b48.exe
3200	WindowsLibrary.exe
3200	WindowsLibrary.exe
5008	WindowsLibrary.exe
5008	WindowsLibrary.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ec3e0e37a0706e727186ef4a1d338b48.exeWindowsLibrary.exeWindowsLibrary.exe

description	pid	process
Token: SeDebugPrivilege	456	ec3e0e37a0706e727186ef4a1d338b48.exe
Token: SeDebugPrivilege	3200	WindowsLibrary.exe
Token: SeDebugPrivilege	5008	WindowsLibrary.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ec3e0e37a0706e727186ef4a1d338b48.exeWindowsLibrary.exeWindowsLibrary.exe

description	pid	process	target process
PID 456 wrote to memory of 3476	456	ec3e0e37a0706e727186ef4a1d338b48.exe	SCHtAsKs.EXe
PID 456 wrote to memory of 3476	456	ec3e0e37a0706e727186ef4a1d338b48.exe	SCHtAsKs.EXe
PID 456 wrote to memory of 4436	456	ec3e0e37a0706e727186ef4a1d338b48.exe	SCHtAsKs.EXe
PID 456 wrote to memory of 4436	456	ec3e0e37a0706e727186ef4a1d338b48.exe	SCHtAsKs.EXe
PID 3200 wrote to memory of 3176	3200	WindowsLibrary.exe	SCHtAsKs.EXe
PID 3200 wrote to memory of 3176	3200	WindowsLibrary.exe	SCHtAsKs.EXe
PID 5008 wrote to memory of 3844	5008	WindowsLibrary.exe	SCHtAsKs.EXe
PID 5008 wrote to memory of 3844	5008	WindowsLibrary.exe	SCHtAsKs.EXe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec3e0e37a0706e727186ef4a1d338b48.exe
"C:\Users\Admin\AppData\Local\Temp\ec3e0e37a0706e727186ef4a1d338b48.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SYSTEM32\SCHtAsKs.EXe
"SCHtAsKs.EXe" /create /tn WindowUpdates1105839693 /tr "C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\WindowsLibrary.exe" /st 14:55 /du 9999:59 /sc daily /ri 1
2⤵
- Creates scheduled task(s)
PID:3476

C:\Windows\SYSTEM32\SCHtAsKs.EXe
"SCHtAsKs.EXe" /create /tn WindowUpdates1105839693 /tr "C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\WindowsLibrary.exe" /st 14:55 /du 9999:59 /sc daily /ri 1
2⤵
- Creates scheduled task(s)
PID:4436

C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\WindowsLibrary.exe
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\WindowsLibrary.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\system32\SCHtAsKs.EXe
"SCHtAsKs.EXe" /create /tn WindowUpdates1105839693 /tr "C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\WindowsLibrary.exe" /st 14:56 /du 9999:59 /sc daily /ri 1
2⤵
- Creates scheduled task(s)
PID:3176

C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\WindowsLibrary.exe
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\WindowsLibrary.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\system32\SCHtAsKs.EXe
"SCHtAsKs.EXe" /create /tn WindowUpdates1105839693 /tr "C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\WindowsLibrary.exe" /st 14:57 /du 9999:59 /sc daily /ri 1
2⤵
- Creates scheduled task(s)
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\WindowsLibrary.exe

Filesize
474KB

MD5
ec3e0e37a0706e727186ef4a1d338b48

SHA1
549d90919104da57c9ed2e6cbc3d4a654b32162b

SHA256
be9880ef9ccc6b51f6e22e21884bf7092da435c96a072bd9e9515eb88b7c6bd5

SHA512
6010946af214b0015b899f1fb1086a66a0e5d0851a35256f3294ea92e3557912cd129569220c69a4f593db37ad9027c3c7c297f904965ea9cc2e8af61a7a0862

Download Submit
memory/456-0-0x0000000000CC0000-0x0000000000D3A000-memory.dmp

Filesize
488KB

Download
memory/456-2-0x00007FFF28280000-0x00007FFF28D41000-memory.dmp

Filesize
10.8MB

Download
memory/456-3-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/456-4-0x00007FFF28280000-0x00007FFF28D41000-memory.dmp

Filesize
10.8MB

Download
memory/456-5-0x00007FFF28280000-0x00007FFF28D41000-memory.dmp

Filesize
10.8MB

Download
memory/3200-8-0x00007FFF28280000-0x00007FFF28D41000-memory.dmp

Filesize
10.8MB

Download
memory/3200-9-0x00007FFF28280000-0x00007FFF28D41000-memory.dmp

Filesize
10.8MB

Download
memory/3200-10-0x00007FFF28280000-0x00007FFF28D41000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads