5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8

Resubmissions

17-10-2024 07:22

241017-h7j5raxdpc 10

19-09-2024 09:46

240919-lr5nassbmg 10

22-08-2024 01:33

240822-byp63svhjj 7

Analysis

max time kernel
140s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe
Size

68KB
MD5

58e3fdda803852666f535b132e6a8160
SHA1

34550c1402b823b5cf3bc7edfeec0cc00cb6a953
SHA256

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8
SHA512

90ee1949a0cb79ee9ea20351f15fe2d27c8c171e398f01e42849e2cba6a9531cf792757f7fec6aeaea5b3a5e7198e3f875ab702275541acbcd420d46c1a9ba2a
SSDEEP

1536:3R2zxbOmOBVjGqV3g5I+va6z5f85NGducEe0e:h2zxqfU5I+xknGd30e

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe

pid	Process
1984	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe

Executes dropped EXE 2 IoCs

Processes:

Update_12bb6cf3.exeUpdate_12bb6cf3.exe

pid	Process
2360	Update_12bb6cf3.exe
2828	Update_12bb6cf3.exe

Loads dropped DLL 3 IoCs

Processes:

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exetaskeng.exe

pid	Process
1984	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe
1984	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe
2948	taskeng.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe

pid	Process
1984	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exetaskeng.exe

description	pid	Process	procid_target
PID 1984 wrote to memory of 2360	1984	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	30
PID 1984 wrote to memory of 2360	1984	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	30
PID 1984 wrote to memory of 2360	1984	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	30
PID 1984 wrote to memory of 2860	1984	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	31
PID 1984 wrote to memory of 2860	1984	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	31
PID 1984 wrote to memory of 2860	1984	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	31
PID 2948 wrote to memory of 2828	2948	taskeng.exe	33
PID 2948 wrote to memory of 2828	2948	taskeng.exe	33
PID 2948 wrote to memory of 2828	2948	taskeng.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe
"C:\Users\Admin\AppData\Local\Temp\5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe"
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Roaming\Custom_update\Update_12bb6cf3.exe
  "C:\Users\Admin\AppData\Roaming\Custom_update\Update_12bb6cf3.exe"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1984 -s 252
  2⤵
  PID:2860

C:\Windows\system32\taskeng.exe
taskeng.exe {2A85BF92-79F9-4DA9-BB84-038D1AA6ADF5} S-1-5-21-2172136094-3310281978-782691160-1000:EXCFTDUU\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Roaming\Custom_update\Update_12bb6cf3.exe
  C:\Users\Admin\AppData\Roaming\Custom_update\Update_12bb6cf3.exe
  2⤵
  - Executes dropped EXE
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_12bb6cf3.exe

Filesize
68KB

MD5
58e3fdda803852666f535b132e6a8160

SHA1
34550c1402b823b5cf3bc7edfeec0cc00cb6a953

SHA256
5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8

SHA512
90ee1949a0cb79ee9ea20351f15fe2d27c8c171e398f01e42849e2cba6a9531cf792757f7fec6aeaea5b3a5e7198e3f875ab702275541acbcd420d46c1a9ba2a

Download Submit
memory/1984-10-0x000000013F400000-0x000000013F415000-memory.dmp

Filesize
84KB

Download