c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82

Analysis

max time kernel
166s
max time network
138s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe
Size

100KB
MD5

c605b7c3e4c339642db6a33c5780b49b
SHA1

c2f01355880cd9dfeef75cff189f4a8af421e0d3
SHA256

c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82
SHA512

02ad68001d5e7754469584dd833ec902f56fd68222937819a5174450d18dc037cbcfdd8df770365d452519ef4c9081ecfd19e38f08fda2f78c441a1062a9cb26

Score

1^/10

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2368	tasklist.exe
612	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
928	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe
Token: SeDebugPrivilege	612	tasklist.exe
Token: SeDebugPrivilege	2368	tasklist.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 880	3704	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe	69
PID 3704 wrote to memory of 880	3704	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe	69
PID 3704 wrote to memory of 880	3704	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe	69
PID 880 wrote to memory of 928	880	cmd.exe	71
PID 880 wrote to memory of 928	880	cmd.exe	71
PID 880 wrote to memory of 928	880	cmd.exe	71
PID 880 wrote to memory of 612	880	cmd.exe	74
PID 880 wrote to memory of 612	880	cmd.exe	74
PID 880 wrote to memory of 612	880	cmd.exe	74
PID 880 wrote to memory of 2368	880	cmd.exe	75
PID 880 wrote to memory of 2368	880	cmd.exe	75
PID 880 wrote to memory of 2368	880	cmd.exe	75

C:\Users\Admin\AppData\Local\Temp\c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe
"C:\Users\Admin\AppData\Local\Temp\c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:928
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:612
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /M
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads