b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
08-02-2023 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iFYEJ.exe
Size

2.5MB
MD5

acfe53c70928d44f9cf498495145ec84
SHA1

2a12b327d4e5628904cc25c5f134732d6265e662
SHA256

b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7
SHA512

345143bcc9895282d2843efee182eb07bc0d0179c0c1e6ffcdd7ff9f1d44c252ffccb1b56c2b48c70b554f3427f6a1c23a6ea6b1c9e76edcbe655e88e247741c
SSDEEP

49152:Gg8nNv+SzYW4ZOUB5hempuE8OOTRmgysj8k4:Gg8h14

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1388 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

iFYEJ.exe

pid process

1496 iFYEJ.exe
1496 iFYEJ.exe
1496 iFYEJ.exe
1496 iFYEJ.exe
1496 iFYEJ.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

iFYEJ.exe

description pid process

Token: SeDebugPrivilege 1496 iFYEJ.exe

pid	process
1388	schtasks.exe

pid	process
1496	iFYEJ.exe
1496	iFYEJ.exe
1496	iFYEJ.exe
1496	iFYEJ.exe
1496	iFYEJ.exe

description	pid	process
Token: SeDebugPrivilege	1496	iFYEJ.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

iFYEJ.execmd.exe

description	pid	process	target process
PID 1496 wrote to memory of 1776	1496	iFYEJ.exe	cmd.exe
PID 1496 wrote to memory of 1776	1496	iFYEJ.exe	cmd.exe
PID 1496 wrote to memory of 1776	1496	iFYEJ.exe	cmd.exe
PID 1496 wrote to memory of 1776	1496	iFYEJ.exe	cmd.exe
PID 1776 wrote to memory of 1388	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1388	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1388	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1388	1776	cmd.exe	schtasks.exe
PID 1496 wrote to memory of 296	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 296	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 296	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 296	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 1276	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 1276	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 1276	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 1276	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 672	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 672	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 672	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 672	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 1936	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 1936	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 1936	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 1936	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 636	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 636	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 636	1496	iFYEJ.exe	vbc.exe
PID 1496 wrote to memory of 636	1496	iFYEJ.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe
"C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
3⤵
- Creates scheduled task(s)
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:636

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-56-0x0000000000000000-mapping.dmp

Download
memory/1496-54-0x00000000002C0000-0x0000000000548000-memory.dmp

Filesize
2.5MB

Download
memory/1496-57-0x0000000000780000-0x00000000007A6000-memory.dmp

Filesize
152KB

Download
memory/1776-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads