7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a

Analysis

max time kernel
77s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
02/07/2023, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe
Size

89KB
MD5

a1fc1f283b43117423217d14b24c84cb
SHA1

e105245bc0491c3002a29ece210fdfe9f3125c5f
SHA256

7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a
SHA512

1f70b973ee61fe32bfbcf6a8b688ac485a5f5a986347db701e9233226aa3961cc97f78d68f5aa234cd22a23576f7637252ba34e7ee61da61d32753ef511cbf69
SSDEEP

1536:/7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf2w4Oq:z7DhdC6kzWypvaQ0FxyNTBf2X

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3996	powershell.exe
3996	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 4828	5024	Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe	84
PID 5024 wrote to memory of 4828	5024	Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe	84
PID 4828 wrote to memory of 1596	4828	cmd.exe	86
PID 4828 wrote to memory of 1596	4828	cmd.exe	86
PID 1596 wrote to memory of 3996	1596	cmd.exe	85
PID 1596 wrote to memory of 3996	1596	cmd.exe	85
PID 4828 wrote to memory of 3440	4828	cmd.exe	87
PID 4828 wrote to memory of 3440	4828	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe
"C:\Users\Admin\AppData\Local\Temp\Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C51A.tmp\C51B.tmp\C51C.bat C:\Users\Admin\AppData\Local\Temp\Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -NoP -C "'{0:yyyy/MM/dd}' -f (Get-Date).AddDays(20)"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /TR "C:\Users\Admin\AppData\Roaming\Microsoft\aufgabe.bat" /TN rechnung /SD 2023/07/22 /IT /SC HOURLY
    3⤵
    - Creates scheduled task(s)
    PID:3440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoP -C "'{0:yyyy/MM/dd}' -f (Get-Date).AddDays(20)"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C51A.tmp\C51B.tmp\C51C.bat

Filesize
767B

MD5
3c0c9ecb86067a3d366f4b9a0941e3bb

SHA1
72b4698df34df8daf013cdcf84075f3949b9640c

SHA256
36b3778c9f64edf8a442136c21f93ff7d1ecae98fc543e251195770ec675bf42

SHA512
2b421b17cbcbb8508f14f1a8536d72d6b51b250b401adb2062e0995a95692c2660e8a67612494c5f9db087eef105d8538e7e2991c9dcc000234b0099dbe4f057

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ylkc255e.jhc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3996-137-0x00000246676A0000-0x00000246676C2000-memory.dmp

Filesize
136KB

Download
memory/3996-147-0x0000024665E00000-0x0000024665E10000-memory.dmp

Filesize
64KB

Download
memory/3996-148-0x0000024665E00000-0x0000024665E10000-memory.dmp

Filesize
64KB

Download