e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 01:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
Size

4.8MB
MD5

b663339bd02e558f020ec79d70fa999b
SHA1

47c988da744f241b49856d999321397d672cc116
SHA256

e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0
SHA512

e828814919189b2859e079ecd4f63f92a0ef6f7558ec1190fb8d36229fa92ab19b6db0caa70626654908be16ccb248523a0b76ca5a0f3cc976d40edea4520cde
SSDEEP

98304:eB8DehbRc0fDfv8a8pMhkrIIlGJMB3mO8FJxueSxn7+aD:eQM78axkXuMBp8FDGnRD

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2024	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	28
PID 2180 wrote to memory of 2024	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	28
PID 2180 wrote to memory of 2024	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	28
PID 2180 wrote to memory of 2024	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	28
PID 2024 wrote to memory of 2800	2024	cmd.exe	30
PID 2024 wrote to memory of 2800	2024	cmd.exe	30
PID 2024 wrote to memory of 2800	2024	cmd.exe	30
PID 2180 wrote to memory of 3056	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	31
PID 2180 wrote to memory of 3056	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	31
PID 2180 wrote to memory of 3056	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	31
PID 2180 wrote to memory of 3056	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	31
PID 3056 wrote to memory of 1980	3056	cmd.exe	33
PID 3056 wrote to memory of 1980	3056	cmd.exe	33
PID 3056 wrote to memory of 1980	3056	cmd.exe	33
PID 2180 wrote to memory of 2684	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	34
PID 2180 wrote to memory of 2684	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	34
PID 2180 wrote to memory of 2684	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	34
PID 2180 wrote to memory of 2684	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	34
PID 2684 wrote to memory of 2764	2684	cmd.exe	36
PID 2684 wrote to memory of 2764	2684	cmd.exe	36
PID 2684 wrote to memory of 2764	2684	cmd.exe	36
PID 2180 wrote to memory of 2648	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	37
PID 2180 wrote to memory of 2648	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	37
PID 2180 wrote to memory of 2648	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	37
PID 2180 wrote to memory of 2648	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	37
PID 2648 wrote to memory of 1300	2648	cmd.exe	39
PID 2648 wrote to memory of 1300	2648	cmd.exe	39
PID 2648 wrote to memory of 1300	2648	cmd.exe	39
PID 2180 wrote to memory of 1276	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	40
PID 2180 wrote to memory of 1276	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	40
PID 2180 wrote to memory of 1276	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	40
PID 2180 wrote to memory of 1276	2180	e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe	40
PID 1276 wrote to memory of 2784	1276	cmd.exe	42
PID 1276 wrote to memory of 2784	1276	cmd.exe	42
PID 1276 wrote to memory of 2784	1276	cmd.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe
"C:\Users\Admin\AppData\Local\Temp\e263b7ccb7a9dc11d87f9857330e2e063e3e25f385af6cd22dabcf7d3d019aa0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c expand *.cab /f:* .\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\expand.exe
    expand *.cab /f:* .\
    3⤵
    PID:2800
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1980
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
    3⤵
    PID:2764
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn ASOS1
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn ASOS1
    3⤵
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\unpack1.log

Filesize
4KB

MD5
efd17126baf1e254635613898b49fa5b

SHA1
e0e2725ccb4e3cc6c05263d4a974cfc4188034d5

SHA256
033ac035e920c74aad1c44b2a12d77e5016b1f951665064a72b30ef4560592ff

SHA512
a2f582dfe37923860f4f760ad3b935efc0a414e12f9d6a8ce8410a47e48c8124f27ef85ae5394b685a3c52f89cc89d72a01237284c878798f07e000c688f2be1

Download Submit