e4a7526ba0307eafbdf3d9ce7c5fb335fb76989a480f05de0f928d47808d5595

Analysis

max time kernel
100s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

5c90e91232e7e16804a5e2512f56ef0f
SHA1

0f5533f772a53f8a96710a1812d05c5db276d999
SHA256

e4a7526ba0307eafbdf3d9ce7c5fb335fb76989a480f05de0f928d47808d5595
SHA512

a96fe2661c18d59a6f84bfeae75eeae0db847b559808cd1f2a2485d3c651cea547a18af1435a5c3f855f31cec7b114ced112ad27b0f7f99abc751a090ff1ebc0
SSDEEP

49152:Svkt62XlaSFNWPjljiFa2RoUYIk7waT5p+Vk/3LoGdjTHHB72eh2NT:Sv462XlaSFNWPjljiFXRoUYIzaD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4516	Client.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2552	schtasks.exe
5108	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	Client-built.exe
Token: SeDebugPrivilege	4516	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4516	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 5108	3356	Client-built.exe	82
PID 3356 wrote to memory of 5108	3356	Client-built.exe	82
PID 3356 wrote to memory of 4516	3356	Client-built.exe	84
PID 3356 wrote to memory of 4516	3356	Client-built.exe	84
PID 4516 wrote to memory of 2552	4516	Client.exe	85
PID 4516 wrote to memory of 2552	4516	Client.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5108
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
1.3MB

MD5
73a35adb9df077af5f19895eac56f3e6

SHA1
34b6c58f91fe8fa4a6822e07f02173d7640623db

SHA256
a3ec62dc434b2442d8c5755facfac02386949a1aaf5cd7a7a6edb1aa255c5446

SHA512
fab5c88846e235843c2df17a0968deb674d48be098ceed002ae6ee338534cb6241b003a20e0e58ab86b5690cdd5aacb9b8a8fed8ef2248f11c07645c8b6aa2d1

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
1.1MB

MD5
fa3a45daa2f014c90de17fe6b21ca506

SHA1
6f09fdc334553a15fb8bf97747db256d82ec66b6

SHA256
6669d9a908eea970f3afe6336e9aa0e8e35c1402aaa3682220b00c9aee3ca0ab

SHA512
8753fbacb17058b1059aa9d91f3794e6a0496c6d3aae9c8108b61fedd59a105b91eed2f893ebd3248a6808eaccbeb0de7aa49480de700de2a7e34b32089d1229

Download Submit
memory/3356-0-0x00007FFDEED13000-0x00007FFDEED15000-memory.dmp

Filesize
8KB

Download
memory/3356-1-0x0000000000EE0000-0x0000000001204000-memory.dmp

Filesize
3.1MB

Download
memory/3356-2-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-9-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-10-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-11-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-12-0x000000001DA00000-0x000000001DA50000-memory.dmp

Filesize
320KB

Download
memory/4516-13-0x000000001DB10000-0x000000001DBC2000-memory.dmp

Filesize
712KB

Download
memory/4516-14-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads