Analysis Overview
SHA256
4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8
Threat Level: Shows suspicious behavior
The file 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 17:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 17:25
Reported
2025-07-04 17:28
Platform
win10v2004-20250619-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\HiddenApp\TaskBar.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MAMP = "C:\\Users\\Public\\Documents\\HiddenApp\\TaskBar.exe" | C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe
"C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk" && echo URL=file:///C:\Users\Public\Documents\HiddenApp\TaskBar.exe >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Documents\HiddenApp\TaskBar.exe
C:\Windows\system32\cmd.exe
cmd /c echo [InternetShortcut]
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F
C:\Windows\system32\schtasks.exe
schtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F
C:\Users\Public\Documents\HiddenApp\TaskBar.exe
C:\Users\Public\Documents\HiddenApp\TaskBar.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
C:\Users\Public\Documents\HiddenApp\TaskBar.exe
| MD5 | 8c9908027dac44fcb913f1bd1a27f19b |
| SHA1 | 22a8909d8b4e507a442e38caaac2dbd77ff58899 |
| SHA256 | 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8 |
| SHA512 | 56bcc8f4d8a967031e9af2da00bb9cdcc0572e926ff12dc689f64c3a16aec5c1f20767a37aa4f790279cf6dbca692e2bc269c432433918b936707fa71a26f70f |
C:\Users\Public\Documents\HiddenApp\log.txt
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 17:25
Reported
2025-07-04 17:28
Platform
win11-20250610-en
Max time kernel
128s
Max time network
60s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\HiddenApp\TaskBar.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-903960561-1545645218-4290906778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MAMP = "C:\\Users\\Public\\Documents\\HiddenApp\\TaskBar.exe" | C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe
"C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk" && echo URL=file:///C:\Users\Public\Documents\HiddenApp\TaskBar.exe >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Documents\HiddenApp\TaskBar.exe
C:\Windows\system32\cmd.exe
cmd /c echo [InternetShortcut]
C:\Users\Public\Documents\HiddenApp\TaskBar.exe
C:\Users\Public\Documents\HiddenApp\TaskBar.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F
C:\Windows\system32\schtasks.exe
schtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE
Network
Files
C:\Users\Public\Documents\HiddenApp\TaskBar.exe
| MD5 | 8c9908027dac44fcb913f1bd1a27f19b |
| SHA1 | 22a8909d8b4e507a442e38caaac2dbd77ff58899 |
| SHA256 | 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8 |
| SHA512 | 56bcc8f4d8a967031e9af2da00bb9cdcc0572e926ff12dc689f64c3a16aec5c1f20767a37aa4f790279cf6dbca692e2bc269c432433918b936707fa71a26f70f |
C:\Users\Public\Documents\HiddenApp\log.txt
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |