Analysis
-
max time kernel
77s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2023, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe
Resource
win10v2004-20230621-en
General
-
Target
Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe
-
Size
89KB
-
MD5
a1fc1f283b43117423217d14b24c84cb
-
SHA1
e105245bc0491c3002a29ece210fdfe9f3125c5f
-
SHA256
7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a
-
SHA512
1f70b973ee61fe32bfbcf6a8b688ac485a5f5a986347db701e9233226aa3961cc97f78d68f5aa234cd22a23576f7637252ba34e7ee61da61d32753ef511cbf69
-
SSDEEP
1536:/7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf2w4Oq:z7DhdC6kzWypvaQ0FxyNTBf2X
Malware Config
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3440 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3996 powershell.exe 3996 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3996 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5024 wrote to memory of 4828 5024 Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe 84 PID 5024 wrote to memory of 4828 5024 Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe 84 PID 4828 wrote to memory of 1596 4828 cmd.exe 86 PID 4828 wrote to memory of 1596 4828 cmd.exe 86 PID 1596 wrote to memory of 3996 1596 cmd.exe 85 PID 1596 wrote to memory of 3996 1596 cmd.exe 85 PID 4828 wrote to memory of 3440 4828 cmd.exe 87 PID 4828 wrote to memory of 3440 4828 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe"C:\Users\Admin\AppData\Local\Temp\Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C51A.tmp\C51B.tmp\C51C.bat C:\Users\Admin\AppData\Local\Temp\Malicious_7661e99f58482e72e4dd99966d70b65bcb6c67fd6e0adc5d5b8fbebeeb4fb67a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -NoP -C "'{0:yyyy/MM/dd}' -f (Get-Date).AddDays(20)"3⤵
- Suspicious use of WriteProcessMemory
PID:1596
-
-
C:\Windows\system32\schtasks.exeschtasks /Create /TR "C:\Users\Admin\AppData\Roaming\Microsoft\aufgabe.bat" /TN rechnung /SD 2023/07/22 /IT /SC HOURLY3⤵
- Creates scheduled task(s)
PID:3440
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoP -C "'{0:yyyy/MM/dd}' -f (Get-Date).AddDays(20)"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
767B
MD53c0c9ecb86067a3d366f4b9a0941e3bb
SHA172b4698df34df8daf013cdcf84075f3949b9640c
SHA25636b3778c9f64edf8a442136c21f93ff7d1ecae98fc543e251195770ec675bf42
SHA5122b421b17cbcbb8508f14f1a8536d72d6b51b250b401adb2062e0995a95692c2660e8a67612494c5f9db087eef105d8538e7e2991c9dcc000234b0099dbe4f057
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82