805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f | Triage

Analysis

max time kernel
118s
max time network
152s
platform
windows10_x64
resource
win10-en-20211104
submitted
09-11-2021 01:14

Sharing

Report Analysis Logs

General

Target

805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe
Size

8.3MB
MD5

aedebba95462e9db10b834551e3abc03
SHA1

551c8f9200aa77d9bc94260a516522619016e2b7
SHA256

805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f
SHA512

e3928a34b18385ea8c43598bc13792b3f2d5b3f9cf0a2aa2b0bd0db666ad7e69d6cfdfb4d5dc07f086707156623462ce24432275a6d5bf08669478fe55954980

Score

1^/10

Malware Config

Signatures

GoLang User-Agent 21 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	12	Go-http-client/1.1
HTTP User-Agent header	27	Go-http-client/1.1
HTTP User-Agent header	29	Go-http-client/1.1
HTTP User-Agent header	30	Go-http-client/1.1
HTTP User-Agent header	31	Go-http-client/1.1
HTTP User-Agent header	25	Go-http-client/1.1
HTTP User-Agent header	26	Go-http-client/1.1
HTTP User-Agent header	28	Go-http-client/1.1
HTTP User-Agent header	16	Go-http-client/1.1
HTTP User-Agent header	17	Go-http-client/1.1
HTTP User-Agent header	18	Go-http-client/1.1
HTTP User-Agent header	20	Go-http-client/1.1
HTTP User-Agent header	22	Go-http-client/1.1
HTTP User-Agent header	50	Go-http-client/1.1
HTTP User-Agent header	23	Go-http-client/1.1
HTTP User-Agent header	24	Go-http-client/1.1
HTTP User-Agent header	11	Go-http-client/1.1
HTTP User-Agent header	15	Go-http-client/1.1
HTTP User-Agent header	19	Go-http-client/1.1
HTTP User-Agent header	49	Go-http-client/1.1
HTTP User-Agent header	51	Go-http-client/1.1

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

whoami.exe

description pid process

Token: SeDebugPrivilege 1012 whoami.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.execmd.exe

description	pid	process	target process
PID 2792 wrote to memory of 3168	2792	805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe	cmd.exe
PID 2792 wrote to memory of 3168	2792	805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe	cmd.exe
PID 2792 wrote to memory of 3168	2792	805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe	cmd.exe
PID 3168 wrote to memory of 1012	3168	cmd.exe	whoami.exe
PID 3168 wrote to memory of 1012	3168	cmd.exe	whoami.exe
PID 3168 wrote to memory of 1012	3168	cmd.exe	whoami.exe

C:\Users\Admin\AppData\Local\Temp\805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe
"C:\Users\Admin\AppData\Local\Temp\805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c whoami
2⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1012-119-0x0000000000000000-mapping.dmp

Download
memory/3168-118-0x0000000000000000-mapping.dmp

Download