7de1a568e5bae32607595e2aa0575d5167583880b75bb669ca6a8f2bb0e7d635

Analysis

max time kernel
138s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22e63c962c9dcc72e684a58775f8537d.exe
Size

201KB
MD5

22e63c962c9dcc72e684a58775f8537d
SHA1

be210861aab1398805b36635a39525d093265d70
SHA256

7de1a568e5bae32607595e2aa0575d5167583880b75bb669ca6a8f2bb0e7d635
SHA512

f2962046bf61483d75baa4ff9e33cf3b7e690b012185e89fc9372f32eb9ce642caaaaa26cc8b373b686db91d324cfbdacddb4fa20ae652c4cb871d2f59a5008f
SSDEEP

1536:4DmosJ1iQ8RVKXsHhllDaqy0NYr77n+xRARRumZD2kIDg/q2roWp7kMHoE2Pb5kt:G/E1iQ8geh+SRA3I0Lp70BPuxaWC8C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2800	sqlcmd.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1940	schtasks.exe
2648	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1940	2224	22e63c962c9dcc72e684a58775f8537d.exe	29
PID 2224 wrote to memory of 1940	2224	22e63c962c9dcc72e684a58775f8537d.exe	29
PID 2224 wrote to memory of 1940	2224	22e63c962c9dcc72e684a58775f8537d.exe	29
PID 2224 wrote to memory of 1940	2224	22e63c962c9dcc72e684a58775f8537d.exe	29
PID 2284 wrote to memory of 2800	2284	taskeng.exe	31
PID 2284 wrote to memory of 2800	2284	taskeng.exe	31
PID 2284 wrote to memory of 2800	2284	taskeng.exe	31
PID 2284 wrote to memory of 2800	2284	taskeng.exe	31
PID 2800 wrote to memory of 2648	2800	sqlcmd.exe	35
PID 2800 wrote to memory of 2648	2800	sqlcmd.exe	35
PID 2800 wrote to memory of 2648	2800	sqlcmd.exe	35
PID 2800 wrote to memory of 2648	2800	sqlcmd.exe	35

C:\Users\Admin\AppData\Local\Temp\22e63c962c9dcc72e684a58775f8537d.exe
"C:\Users\Admin\AppData\Local\Temp\22e63c962c9dcc72e684a58775f8537d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1940

C:\Windows\system32\taskeng.exe
taskeng.exe {AE33045E-7A38-4F14-862E-9EA77769C985} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

Filesize
122KB

MD5
746e3d83b446fa2984a12c304106c070

SHA1
6324b4de8d9fcfe5ada2a20d06f4f7b552835185

SHA256
2b2088cb1eb00a27639b2330d58cd190ad1654ae78b2235dea81b193eac01539

SHA512
92d515b7c38df7dd26013c8a4efac8f50c0c5b1a317d9ca1dfcbb0db366e4a6d3df4f19408df745186f9ee28a2da08fcc608a35db5e5a19a7c189a973c2608fa

Download Submit
memory/2224-2-0x0000000000950000-0x0000000000A50000-memory.dmp

Filesize
1024KB

Download
memory/2224-4-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download
memory/2224-3-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2800-10-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download
memory/2800-9-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2800-13-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads