925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980

General

Target

12ce65e1f2d26ed8e7a0eb842d5447bb.exe
Size

3.1MB
MD5

12ce65e1f2d26ed8e7a0eb842d5447bb
SHA1

36cbaea66bfc57c159ca3b13e367eb3c1762738c
SHA256

925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980
SHA512

9f941208d0435e5a4f1d2243ac8beab0696e89beb65acda6ba3f3b72a2099f2265d72f4768c7679cbad5f57129b5b1ed7521ea77466e6cb958135fefd4016782

Score

8^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

sqlcmd.exesqlcmd.exesqlcmd.exe

pid process

2600 sqlcmd.exe
1040 sqlcmd.exe
2172 sqlcmd.exe

pid	process
2600	sqlcmd.exe
1040	sqlcmd.exe
2172	sqlcmd.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/1944-123-0x0000000006460000-0x0000000006481000-memory.dmp	agile_net
behavioral2/memory/2600-145-0x0000000005240000-0x000000000573E000-memory.dmp	agile_net

Suspicious use of SetThreadContext 2 IoCs

Processes:

12ce65e1f2d26ed8e7a0eb842d5447bb.exesqlcmd.exe

description	pid	process	target process
PID 1944 set thread context of 4212	1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
PID 2600 set thread context of 1040	2600	sqlcmd.exe	sqlcmd.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4392 schtasks.exe
1180 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

12ce65e1f2d26ed8e7a0eb842d5447bb.exesqlcmd.exesqlcmd.exe

pid process

1944 12ce65e1f2d26ed8e7a0eb842d5447bb.exe
1944 12ce65e1f2d26ed8e7a0eb842d5447bb.exe
2600 sqlcmd.exe
2600 sqlcmd.exe
2172 sqlcmd.exe

pid	process
4392	schtasks.exe
1180	schtasks.exe

pid	process
1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
2600	sqlcmd.exe
2600	sqlcmd.exe
2172	sqlcmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

12ce65e1f2d26ed8e7a0eb842d5447bb.exesqlcmd.exesqlcmd.exe

description	pid	process
Token: SeDebugPrivilege	1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
Token: SeDebugPrivilege	2600	sqlcmd.exe
Token: SeDebugPrivilege	2172	sqlcmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

12ce65e1f2d26ed8e7a0eb842d5447bb.exe12ce65e1f2d26ed8e7a0eb842d5447bb.exesqlcmd.exesqlcmd.exe

description	pid	process	target process
PID 1944 wrote to memory of 4212	1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
PID 1944 wrote to memory of 4212	1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
PID 1944 wrote to memory of 4212	1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
PID 1944 wrote to memory of 4212	1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
PID 1944 wrote to memory of 4212	1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
PID 1944 wrote to memory of 4212	1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
PID 1944 wrote to memory of 4212	1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
PID 1944 wrote to memory of 4212	1944	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	12ce65e1f2d26ed8e7a0eb842d5447bb.exe
PID 4212 wrote to memory of 4392	4212	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	schtasks.exe
PID 4212 wrote to memory of 4392	4212	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	schtasks.exe
PID 4212 wrote to memory of 4392	4212	12ce65e1f2d26ed8e7a0eb842d5447bb.exe	schtasks.exe
PID 2600 wrote to memory of 1040	2600	sqlcmd.exe	sqlcmd.exe
PID 2600 wrote to memory of 1040	2600	sqlcmd.exe	sqlcmd.exe
PID 2600 wrote to memory of 1040	2600	sqlcmd.exe	sqlcmd.exe
PID 2600 wrote to memory of 1040	2600	sqlcmd.exe	sqlcmd.exe
PID 2600 wrote to memory of 1040	2600	sqlcmd.exe	sqlcmd.exe
PID 2600 wrote to memory of 1040	2600	sqlcmd.exe	sqlcmd.exe
PID 2600 wrote to memory of 1040	2600	sqlcmd.exe	sqlcmd.exe
PID 2600 wrote to memory of 1040	2600	sqlcmd.exe	sqlcmd.exe
PID 1040 wrote to memory of 1180	1040	sqlcmd.exe	schtasks.exe
PID 1040 wrote to memory of 1180	1040	sqlcmd.exe	schtasks.exe
PID 1040 wrote to memory of 1180	1040	sqlcmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\12ce65e1f2d26ed8e7a0eb842d5447bb.exe
"C:\Users\Admin\AppData\Local\Temp\12ce65e1f2d26ed8e7a0eb842d5447bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\12ce65e1f2d26ed8e7a0eb842d5447bb.exe
"C:\Users\Admin\AppData\Local\Temp\12ce65e1f2d26ed8e7a0eb842d5447bb.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
3⤵
- Creates scheduled task(s)
PID:4392

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
3⤵
- Creates scheduled task(s)
PID:1180

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sqlcmd.exe.log
MD5
7648e852b0157b362b07766e0b5b355e

SHA1
6f9ac6e9d89842d38345fb83930d8c927cb44c69

SHA256
8dd14eb336757d783e47f36a98a4fe5c1314d93782907f538417265037819896

SHA512
849e5e18a2439b9a228395c5f92d1ff8111b84ca7e56f9c2ace3580d21ceee0f78f7e9836668970a401fcf2fa2d88ff9aa89935595f45302b6af88a4069138d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
MD5
12ce65e1f2d26ed8e7a0eb842d5447bb

SHA1
36cbaea66bfc57c159ca3b13e367eb3c1762738c

SHA256
925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980

SHA512
9f941208d0435e5a4f1d2243ac8beab0696e89beb65acda6ba3f3b72a2099f2265d72f4768c7679cbad5f57129b5b1ed7521ea77466e6cb958135fefd4016782

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
MD5
12ce65e1f2d26ed8e7a0eb842d5447bb

SHA1
36cbaea66bfc57c159ca3b13e367eb3c1762738c

SHA256
925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980

SHA512
9f941208d0435e5a4f1d2243ac8beab0696e89beb65acda6ba3f3b72a2099f2265d72f4768c7679cbad5f57129b5b1ed7521ea77466e6cb958135fefd4016782

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
MD5
12ce65e1f2d26ed8e7a0eb842d5447bb

SHA1
36cbaea66bfc57c159ca3b13e367eb3c1762738c

SHA256
925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980

SHA512
9f941208d0435e5a4f1d2243ac8beab0696e89beb65acda6ba3f3b72a2099f2265d72f4768c7679cbad5f57129b5b1ed7521ea77466e6cb958135fefd4016782

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
MD5
12ce65e1f2d26ed8e7a0eb842d5447bb

SHA1
36cbaea66bfc57c159ca3b13e367eb3c1762738c

SHA256
925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980

SHA512
9f941208d0435e5a4f1d2243ac8beab0696e89beb65acda6ba3f3b72a2099f2265d72f4768c7679cbad5f57129b5b1ed7521ea77466e6cb958135fefd4016782

Download Submit
memory/1040-149-0x00000000004019E4-mapping.dmp

Download
memory/1180-151-0x0000000000000000-mapping.dmp

Download
memory/1944-123-0x0000000006460000-0x0000000006481000-memory.dmp

Filesize
132KB

Download
memory/1944-127-0x0000000005230000-0x000000000572E000-memory.dmp

Filesize
5.0MB

Download
memory/1944-128-0x0000000006E50000-0x0000000006E5B000-memory.dmp

Filesize
44KB

Download
memory/1944-129-0x0000000009400000-0x0000000009401000-memory.dmp

Filesize
4KB

Download
memory/1944-126-0x0000000005230000-0x000000000572E000-memory.dmp

Filesize
5.0MB

Download
memory/1944-125-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/1944-124-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/1944-122-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/1944-121-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/1944-120-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1944-118-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2172-159-0x00000000057D0000-0x0000000005CCE000-memory.dmp

Filesize
5.0MB

Download
memory/2600-145-0x0000000005240000-0x000000000573E000-memory.dmp

Filesize
5.0MB

Download
memory/2600-141-0x0000000005240000-0x000000000573E000-memory.dmp

Filesize
5.0MB

Download
memory/4212-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4212-131-0x00000000004019E4-mapping.dmp

Download
memory/4212-130-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4392-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads