7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
02-07-2023 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe
Size

89KB
MD5

a1fc1f283b43117423217d14b24c84cb
SHA1

e105245bc0491c3002a29ece210fdfe9f3125c5f
SHA256

7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a
SHA512

1f70b973ee61fe32bfbcf6a8b688ac485a5f5a986347db701e9233226aa3961cc97f78d68f5aa234cd22a23576f7637252ba34e7ee61da61d32753ef511cbf69
SSDEEP

1536:/7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf2w4Oq:z7DhdC6kzWypvaQ0FxyNTBf2X

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1300	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 928	1504	Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe	29
PID 1504 wrote to memory of 928	1504	Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe	29
PID 1504 wrote to memory of 928	1504	Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe	29
PID 1504 wrote to memory of 928	1504	Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe	29
PID 928 wrote to memory of 1332	928	cmd.exe	30
PID 928 wrote to memory of 1332	928	cmd.exe	30
PID 928 wrote to memory of 1332	928	cmd.exe	30
PID 1332 wrote to memory of 1300	1332	cmd.exe	31
PID 1332 wrote to memory of 1300	1332	cmd.exe	31
PID 1332 wrote to memory of 1300	1332	cmd.exe	31
PID 928 wrote to memory of 1308	928	cmd.exe	32
PID 928 wrote to memory of 1308	928	cmd.exe	32
PID 928 wrote to memory of 1308	928	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe
"C:\Users\Admin\AppData\Local\Temp\Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FFA4.tmp\FFA5.tmp\FFA6.bat C:\Users\Admin\AppData\Local\Temp\Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -NoP -C "'{0:yyyy/MM/dd}' -f (Get-Date).AddDays(20)"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoP -C "'{0:yyyy/MM/dd}' -f (Get-Date).AddDays(20)"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1300
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /TR "C:\Users\Admin\AppData\Roaming\Microsoft\aufgabe.bat" /TN rechnung /SD 2023/07/22 /IT /SC HOURLY
    3⤵
    - Creates scheduled task(s)
    PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FFA4.tmp\FFA5.tmp\FFA6.bat

Filesize
767B

MD5
3c0c9ecb86067a3d366f4b9a0941e3bb

SHA1
72b4698df34df8daf013cdcf84075f3949b9640c

SHA256
36b3778c9f64edf8a442136c21f93ff7d1ecae98fc543e251195770ec675bf42

SHA512
2b421b17cbcbb8508f14f1a8536d72d6b51b250b401adb2062e0995a95692c2660e8a67612494c5f9db087eef105d8538e7e2991c9dcc000234b0099dbe4f057

Download Submit
memory/1300-62-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/1300-63-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1300-64-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/1300-65-0x00000000023CB000-0x0000000002402000-memory.dmp

Filesize
220KB

Download