619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

General

Target

Medal.exe
Size

1.8MB
MD5

42b89874d3138f40f32285be945f2ceb
SHA1

1766b4c4a040ba19afc4318e9b2eab775fee88d7
SHA256

619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
SHA512

df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
SSDEEP

49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	4928	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	4928	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	4928	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	4928	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	4928	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	4928	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4928	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	4928	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	4928	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4928	schtasks.exe	87

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2064	schtasks.exe
1840	schtasks.exe
2504	schtasks.exe
2716	schtasks.exe
2012	schtasks.exe
2728	schtasks.exe
2536	schtasks.exe
3480	schtasks.exe
2156	schtasks.exe
4528	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	Medal.exe

C:\Users\Admin\AppData\Local\Temp\Medal.exe
"C:\Users\Admin\AppData\Local\Temp\Medal.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\explorer.exe

Filesize
1.8MB

MD5
42b89874d3138f40f32285be945f2ceb

SHA1
1766b4c4a040ba19afc4318e9b2eab775fee88d7

SHA256
619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

SHA512
df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

Download Submit
memory/1644-4-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download
memory/1644-7-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download
memory/1644-3-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download
memory/1644-0-0x00007FFA96DC3000-0x00007FFA96DC5000-memory.dmp

Filesize
8KB

Download
memory/1644-12-0x0000000002D20000-0x0000000002D38000-memory.dmp

Filesize
96KB

Download
memory/1644-9-0x0000000002D00000-0x0000000002D1C000-memory.dmp

Filesize
112KB

Download
memory/1644-2-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download
memory/1644-10-0x000000001B790000-0x000000001B7E0000-memory.dmp

Filesize
320KB

Download
memory/1644-6-0x0000000002C70000-0x0000000002C7E000-memory.dmp

Filesize
56KB

Download
memory/1644-14-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download
memory/1644-21-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download
memory/1644-1-0x00000000009D0000-0x0000000000BA2000-memory.dmp

Filesize
1.8MB

Download
memory/1644-26-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download
memory/1644-27-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download
memory/1644-28-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download
memory/1644-29-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads