ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b

Analysis

max time kernel
135s
max time network
149s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 10:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe
Size

2.0MB
MD5

637ec4f915fddd1b5eb20a5c1337a8ac
SHA1

498451ad239eac5a4e0235716ca2cef2b1f7fb0f
SHA256

ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b
SHA512

55f7f42a061594b8659406ed13898a85a84d595e56bdd23e54a658b2ab80a635676a272c326fab15bcda88a348e0191b65554af7b6876e05431d6ca7edd62146
SSDEEP

12288:pY+yX8kQXniqnWtVzklBPBWF/owCq2piF/ffFNMbPuUo:pY+a8dYsBWFwT4HfwbmF

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2980	schtasks.exe
3028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2140	ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe
2140	ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe
2140	ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe
2140	ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2980	2140	ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe	28
PID 2140 wrote to memory of 2980	2140	ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe	28
PID 2140 wrote to memory of 2980	2140	ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe	28
PID 2140 wrote to memory of 3028	2140	ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe	30
PID 2140 wrote to memory of 3028	2140	ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe	30
PID 2140 wrote to memory of 3028	2140	ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe
"C:\Users\Admin\AppData\Local\Temp\ed4ad1feffb22fa0d93337b52fa81b204ca109e39f546d42d63871206425c10b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc onlogon /tn LogonTask /tr C:\Users\Public\Documents\ttd.exe
  2⤵
  - Creates scheduled task(s)
  PID:2980
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn HourlyTask /tr C:\Users\Public\Documents\ttd.exe
  2⤵
  - Creates scheduled task(s)
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-1-0x0000000002030000-0x0000000002098000-memory.dmp

Filesize
416KB

Download
memory/2140-2-0x0000000002110000-0x0000000002177000-memory.dmp

Filesize
412KB

Download
memory/2140-3-0x0000000002110000-0x0000000002177000-memory.dmp

Filesize
412KB

Download
memory/2140-6-0x0000000002110000-0x0000000002177000-memory.dmp

Filesize
412KB

Download