447a62c7e29e2da85884b6e4aea80aca2cc5ba86694733ca397a2c8ba0f8e197

Analysis

max time kernel
134s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Daily Report(27-6-2022)-(EN).exe
Size

397KB
MD5

c751af3a2b5e5085e0cf4a66a09480d9
SHA1

0d451c8ee760d3fdf1233b44b657dc10e0450bb6
SHA256

4761183bc8bff993a5551916eda73c84bb8f9eadd24c4c19587045bb91609a83
SHA512

bd88ea76db942b4fd865ed986be75d6df6a90d10f3600a4c3f330a0d7935b1906b536a2eb2cc0211dd199bf2a37440d0a8febbbe6c6ad9b9027e6e59c9511e01
SSDEEP

12288:n5RmQFpKMFeO7Blp/B8Z7QZLJZpT6672GbziER839l/d6LYE2B38jqLX:Z/l839l/ooEC

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1492	WorkstationPro.exe

Loads dropped DLL 1 IoCs

pid	Process
1492	WorkstationPro.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2888	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2888	1500	Daily Report(27-6-2022)-(EN).exe	28
PID 1500 wrote to memory of 2888	1500	Daily Report(27-6-2022)-(EN).exe	28
PID 1500 wrote to memory of 2888	1500	Daily Report(27-6-2022)-(EN).exe	28
PID 1500 wrote to memory of 2888	1500	Daily Report(27-6-2022)-(EN).exe	28
PID 3032 wrote to memory of 1492	3032	taskeng.exe	33
PID 3032 wrote to memory of 1492	3032	taskeng.exe	33
PID 3032 wrote to memory of 1492	3032	taskeng.exe	33
PID 3032 wrote to memory of 1492	3032	taskeng.exe	33

C:\Users\Admin\AppData\Local\Temp\Daily Report(27-6-2022)-(EN).exe
"C:\Users\Admin\AppData\Local\Temp\Daily Report(27-6-2022)-(EN).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 2 /tn "TimeCheck" /tr "C:\Users\Public\Documents\WorkstationPro.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2888

C:\Windows\system32\taskeng.exe
taskeng.exe {2D9520AA-44FE-4DB1-AA73-AAC575963CD4} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Public\Documents\WorkstationPro.exe
  C:\Users\Public\Documents\WorkstationPro.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\WorkstationPro.exe

Filesize
108KB

MD5
74183f9583464e70909315a5ee09ded4

SHA1
04571cc1bd7a55b77afd7fe7670487eb14575f16

SHA256
765bca508d96c012d246ed92355ff4c287a201b61c9e4a3b3d19f855a2f6efc3

SHA512
55df635ac4376253d93bb22809bbd56e3a789e936e911216ca36c38bd70779a57b264b5111b3d27c31d8c90ee51eaf96f9dd6f0e1928b8f41fdf1a0a96f3cc86

Download Submit
\Users\Public\Documents\2345DLAgent.dll

Filesize
489KB

MD5
a6efe263acc794a212647a96e52ddf1f

SHA1
d6970b0cb217a87f22bccecbfd7090ca2e9966ee

SHA256
5ca7ccd312871a20cc5a35e3b115266fe8a9ceb3470844597d73a0ed8013c2b7

SHA512
c905dd103432e6c5434f8ace865a81a9af390e2da27ef5410bd8db1e46fcae36015794e7ea4104295bfc01462e65f793f59ed086dedbba4409ac927389a6d508

Download Submit
memory/1492-6-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads