c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82

General

Target

c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe
Size

100KB
MD5

c605b7c3e4c339642db6a33c5780b49b
SHA1

c2f01355880cd9dfeef75cff189f4a8af421e0d3
SHA256

c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82
SHA512

02ad68001d5e7754469584dd833ec902f56fd68222937819a5174450d18dc037cbcfdd8df770365d452519ef4c9081ecfd19e38f08fda2f78c441a1062a9cb26

Score

1^/10

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2368 tasklist.exe
612 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

928 systeminfo.exe

pid	process
2368	tasklist.exe
612	tasklist.exe

pid	process
928	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	3704	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe
Token: SeDebugPrivilege	612	tasklist.exe
Token: SeDebugPrivilege	2368	tasklist.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.execmd.exe

description	pid	process	target process
PID 3704 wrote to memory of 880	3704	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe	cmd.exe
PID 3704 wrote to memory of 880	3704	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe	cmd.exe
PID 3704 wrote to memory of 880	3704	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe	cmd.exe
PID 880 wrote to memory of 928	880	cmd.exe	systeminfo.exe
PID 880 wrote to memory of 928	880	cmd.exe	systeminfo.exe
PID 880 wrote to memory of 928	880	cmd.exe	systeminfo.exe
PID 880 wrote to memory of 612	880	cmd.exe	tasklist.exe
PID 880 wrote to memory of 612	880	cmd.exe	tasklist.exe
PID 880 wrote to memory of 612	880	cmd.exe	tasklist.exe
PID 880 wrote to memory of 2368	880	cmd.exe	tasklist.exe
PID 880 wrote to memory of 2368	880	cmd.exe	tasklist.exe
PID 880 wrote to memory of 2368	880	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe
"C:\Users\Admin\AppData\Local\Temp\c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:928
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:612
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /M
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.bat

MD5
24431cca984d119621b085829a0fc3e1

SHA1
b451b5cdff61516524fca5a1cc810ca8851206d5

SHA256
81ce17bc245cd32f2b04397d23528068c076f9e71fa163b1e900a5732c6db46e

SHA512
57ce62199fe56cf8008c1eb8f310c6a9a534867abe6f432d208328c9f7cab2cb4fad3af1f6b11716e2861e863f84bc988cfb903a8a333a180225967bb0051972

Download Submit

Analysis

Sharing