Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 17:25
Static task
static1
Behavioral task
behavioral1
Sample
4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe
Resource
win11-20250610-en
General
-
Target
4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe
-
Size
319KB
-
MD5
8c9908027dac44fcb913f1bd1a27f19b
-
SHA1
22a8909d8b4e507a442e38caaac2dbd77ff58899
-
SHA256
4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8
-
SHA512
56bcc8f4d8a967031e9af2da00bb9cdcc0572e926ff12dc689f64c3a16aec5c1f20767a37aa4f790279cf6dbca692e2bc269c432433918b936707fa71a26f70f
-
SSDEEP
6144:mjpZNZOlh88podq6Q4Ag5HotrMTWhFYyULAQE3K4:ONZOM8cqnng5H8yWhi8
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 924 TaskBar.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MAMP = "C:\\Users\\Public\\Documents\\HiddenApp\\TaskBar.exe" 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3668 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4220 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe 4220 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4220 wrote to memory of 4184 4220 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe 87 PID 4220 wrote to memory of 4184 4220 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe 87 PID 4184 wrote to memory of 5112 4184 cmd.exe 90 PID 4184 wrote to memory of 5112 4184 cmd.exe 90 PID 4220 wrote to memory of 3840 4220 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe 91 PID 4220 wrote to memory of 3840 4220 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe 91 PID 3840 wrote to memory of 3668 3840 cmd.exe 92 PID 3840 wrote to memory of 3668 3840 cmd.exe 92 PID 4648 wrote to memory of 924 4648 cmd.exe 93 PID 4648 wrote to memory of 924 4648 cmd.exe 93 PID 4220 wrote to memory of 4604 4220 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe 94 PID 4220 wrote to memory of 4604 4220 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe 94 PID 4604 wrote to memory of 5088 4604 cmd.exe 95 PID 4604 wrote to memory of 5088 4604 cmd.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe"C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk" && echo URL=file:///C:\Users\Public\Documents\HiddenApp\TaskBar.exe >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\system32\cmd.execmd /c echo [InternetShortcut]3⤵PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F2⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:3668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE2⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\Documents\HiddenApp\TaskBar.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Public\Documents\HiddenApp\TaskBar.exeC:\Users\Public\Documents\HiddenApp\TaskBar.exe2⤵
- Executes dropped EXE
PID:924
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319KB
MD58c9908027dac44fcb913f1bd1a27f19b
SHA122a8909d8b4e507a442e38caaac2dbd77ff58899
SHA2564f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8
SHA51256bcc8f4d8a967031e9af2da00bb9cdcc0572e926ff12dc689f64c3a16aec5c1f20767a37aa4f790279cf6dbca692e2bc269c432433918b936707fa71a26f70f
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a