Analysis

  • max time kernel
    128s
  • max time network
    60s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 17:25

General

  • Target

    4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe

  • Size

    319KB

  • MD5

    8c9908027dac44fcb913f1bd1a27f19b

  • SHA1

    22a8909d8b4e507a442e38caaac2dbd77ff58899

  • SHA256

    4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8

  • SHA512

    56bcc8f4d8a967031e9af2da00bb9cdcc0572e926ff12dc689f64c3a16aec5c1f20767a37aa4f790279cf6dbca692e2bc269c432433918b936707fa71a26f70f

  • SSDEEP

    6144:mjpZNZOlh88podq6Q4Ag5HotrMTWhFYyULAQE3K4:ONZOM8cqnng5H8yWhi8

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe
    "C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk" && echo URL=file:///C:\Users\Public\Documents\HiddenApp\TaskBar.exe >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk"
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\system32\cmd.exe
        cmd /c echo [InternetShortcut]
        3⤵
          PID:6020
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Windows\system32\schtasks.exe
          schtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3420
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Windows\system32\schtasks.exe
          schtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE
          3⤵
            PID:1428
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Documents\HiddenApp\TaskBar.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:6012
        • C:\Users\Public\Documents\HiddenApp\TaskBar.exe
          C:\Users\Public\Documents\HiddenApp\TaskBar.exe
          2⤵
          • Executes dropped EXE
          PID:808

      Network

            MITRE ATT&CK Enterprise v16

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Public\Documents\HiddenApp\TaskBar.exe

              Filesize

              319KB

              MD5

              8c9908027dac44fcb913f1bd1a27f19b

              SHA1

              22a8909d8b4e507a442e38caaac2dbd77ff58899

              SHA256

              4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8

              SHA512

              56bcc8f4d8a967031e9af2da00bb9cdcc0572e926ff12dc689f64c3a16aec5c1f20767a37aa4f790279cf6dbca692e2bc269c432433918b936707fa71a26f70f

            • C:\Users\Public\Documents\HiddenApp\log.txt

              Filesize

              1B

              MD5

              c4ca4238a0b923820dcc509a6f75849b

              SHA1

              356a192b7913b04c54574d18c28d46e6395428ab

              SHA256

              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

              SHA512

              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a