Analysis
-
max time kernel
60s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 07:48
Static task
static1
Behavioral task
behavioral1
Sample
SCAN_20210113140930669.exe
Resource
win7v20201028
General
-
Target
SCAN_20210113140930669.exe
-
Size
1.0MB
-
MD5
5f7d0bc54b8cfbfca3057aeddb3c0909
-
SHA1
a426832c6b424a035cfb30f9d4ba07cd45dc5ce1
-
SHA256
2120a958805532d53821fb90eaaa140d8a6461f667b392e352311ff896465f46
-
SHA512
74977c2c7ac0793912dbc073cb7dc6184d42cab8d93e595abe673c65402b439e0adbaf2e82686dd11da79e4b6dc6d75e94a2745fe7c2e8fd1f2fd55de5b9082b
Malware Config
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SCAN_20210113140930669.exepid process 808 SCAN_20210113140930669.exe 808 SCAN_20210113140930669.exe 808 SCAN_20210113140930669.exe 808 SCAN_20210113140930669.exe 808 SCAN_20210113140930669.exe 808 SCAN_20210113140930669.exe 808 SCAN_20210113140930669.exe 808 SCAN_20210113140930669.exe 808 SCAN_20210113140930669.exe 808 SCAN_20210113140930669.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SCAN_20210113140930669.exedescription pid process Token: SeDebugPrivilege 808 SCAN_20210113140930669.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
SCAN_20210113140930669.exedescription pid process target process PID 808 wrote to memory of 652 808 SCAN_20210113140930669.exe schtasks.exe PID 808 wrote to memory of 652 808 SCAN_20210113140930669.exe schtasks.exe PID 808 wrote to memory of 652 808 SCAN_20210113140930669.exe schtasks.exe PID 808 wrote to memory of 652 808 SCAN_20210113140930669.exe schtasks.exe PID 808 wrote to memory of 1472 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1472 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1472 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1472 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1456 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1456 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1456 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1456 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1092 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1092 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1092 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1092 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1560 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1560 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1560 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 1560 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 796 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 796 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 796 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 808 wrote to memory of 796 808 SCAN_20210113140930669.exe SCAN_20210113140930669.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fqJdWysg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4846.tmp"2⤵
- Creates scheduled task(s)
PID:652 -
C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"2⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"2⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"2⤵PID:1092
-
C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"2⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"2⤵PID:796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4846.tmpMD5
c963981c0dd5716b051f32161e14e8fb
SHA1d8024d1745ad1225cb26962dc4d2d2e71e6a12b2
SHA25629aa89cfe5eef829f24a059c1b4b82db65f8411127f013f0089895cf23ce1c80
SHA51265dde9f0ca633546a372970cf30174224edd4109965883f60d1a8f042928682893ea012ef0822e51dad32db49dae2aa3c6e4bdbf7844d8f05dc4c1897cdcb5aa
-
memory/652-7-0x0000000000000000-mapping.dmp
-
memory/808-2-0x0000000073F40000-0x000000007462E000-memory.dmpFilesize
6.9MB
-
memory/808-3-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/808-5-0x00000000004E0000-0x00000000004F2000-memory.dmpFilesize
72KB
-
memory/808-6-0x0000000004C60000-0x0000000004CCB000-memory.dmpFilesize
428KB