Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08-02-2023 21:16
Static task
static1
Behavioral task
behavioral1
Sample
iFYEJ.exe
Resource
win7-20220901-en
windows7-x64
5 signatures
150 seconds
General
-
Target
iFYEJ.exe
-
Size
2.5MB
-
MD5
acfe53c70928d44f9cf498495145ec84
-
SHA1
2a12b327d4e5628904cc25c5f134732d6265e662
-
SHA256
b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7
-
SHA512
345143bcc9895282d2843efee182eb07bc0d0179c0c1e6ffcdd7ff9f1d44c252ffccb1b56c2b48c70b554f3427f6a1c23a6ea6b1c9e76edcbe655e88e247741c
-
SSDEEP
49152:Gg8nNv+SzYW4ZOUB5hempuE8OOTRmgysj8k4:Gg8h14
Score
7/10
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
iFYEJ.exepid process 1496 iFYEJ.exe 1496 iFYEJ.exe 1496 iFYEJ.exe 1496 iFYEJ.exe 1496 iFYEJ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
iFYEJ.exedescription pid process Token: SeDebugPrivilege 1496 iFYEJ.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
iFYEJ.execmd.exedescription pid process target process PID 1496 wrote to memory of 1776 1496 iFYEJ.exe cmd.exe PID 1496 wrote to memory of 1776 1496 iFYEJ.exe cmd.exe PID 1496 wrote to memory of 1776 1496 iFYEJ.exe cmd.exe PID 1496 wrote to memory of 1776 1496 iFYEJ.exe cmd.exe PID 1776 wrote to memory of 1388 1776 cmd.exe schtasks.exe PID 1776 wrote to memory of 1388 1776 cmd.exe schtasks.exe PID 1776 wrote to memory of 1388 1776 cmd.exe schtasks.exe PID 1776 wrote to memory of 1388 1776 cmd.exe schtasks.exe PID 1496 wrote to memory of 296 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 296 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 296 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 296 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 1276 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 1276 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 1276 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 1276 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 672 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 672 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 672 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 672 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 1936 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 1936 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 1936 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 1936 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 636 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 636 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 636 1496 iFYEJ.exe vbc.exe PID 1496 wrote to memory of 636 1496 iFYEJ.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe"C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵