082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f

Analysis

max time kernel
92s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe
Size

7KB
MD5

65a752a456ed880ac827a84dcdd3d9d8
SHA1

025ebdcfc06a1b4984847fe758649ce7245c02db
SHA256

082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f
SHA512

d8c926f94f7c895896ddc274af39fef8a53602666527b30edd18c6045746b37b4441445eb3dab800f268fed9ba2e0f0fdf51b983cefc0932913d8bbef0dafefb
SSDEEP

96:0P67TeuaABBDSyst9pvr51V+65gqTNN081e8eRD:0y7TqABBW517gS0UiD

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	net.exe
File opened (read-only)	\??\T:	net.exe
File opened (read-only)	\??\U:	net.exe
File opened (read-only)	\??\H:	net.exe
File opened (read-only)	\??\K:	net.exe
File opened (read-only)	\??\R:	net.exe
File opened (read-only)	\??\V:	net.exe
File opened (read-only)	\??\X:	net.exe
File opened (read-only)	\??\N:	net.exe
File opened (read-only)	\??\O:	net.exe
File opened (read-only)	\??\S:	net.exe
File opened (read-only)	\??\I:	net.exe
File opened (read-only)	\??\Q:	net.exe
File opened (read-only)	\??\T:	net.exe
File opened (read-only)	\??\U:	net.exe
File opened (read-only)	\??\W:	net.exe
File opened (read-only)	\??\Z:	net.exe
File opened (read-only)	\??\P:	net.exe
File opened (read-only)	\??\R:	net.exe
File opened (read-only)	\??\N:	net.exe
File opened (read-only)	\??\P:	net.exe
File opened (read-only)	\??\M:	net.exe
File opened (read-only)	\??\O:	net.exe
File opened (read-only)	\??\Y:	net.exe
File opened (read-only)	\??\J:	net.exe
File opened (read-only)	\??\L:	net.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 4300	1968	082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe	82
PID 1968 wrote to memory of 4300	1968	082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe	82
PID 1968 wrote to memory of 4300	1968	082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe	82
PID 4300 wrote to memory of 2116	4300	cmd.exe	83
PID 4300 wrote to memory of 2116	4300	cmd.exe	83
PID 4300 wrote to memory of 2116	4300	cmd.exe	83
PID 4300 wrote to memory of 892	4300	cmd.exe	84
PID 4300 wrote to memory of 892	4300	cmd.exe	84
PID 4300 wrote to memory of 892	4300	cmd.exe	84
PID 4300 wrote to memory of 528	4300	cmd.exe	87
PID 4300 wrote to memory of 528	4300	cmd.exe	87
PID 4300 wrote to memory of 528	4300	cmd.exe	87
PID 4300 wrote to memory of 2136	4300	cmd.exe	86
PID 4300 wrote to memory of 2136	4300	cmd.exe	86
PID 4300 wrote to memory of 2136	4300	cmd.exe	86
PID 4300 wrote to memory of 3836	4300	cmd.exe	85
PID 4300 wrote to memory of 3836	4300	cmd.exe	85
PID 4300 wrote to memory of 3836	4300	cmd.exe	85
PID 4300 wrote to memory of 4604	4300	cmd.exe	88
PID 4300 wrote to memory of 4604	4300	cmd.exe	88
PID 4300 wrote to memory of 4604	4300	cmd.exe	88
PID 4300 wrote to memory of 4796	4300	cmd.exe	89
PID 4300 wrote to memory of 4796	4300	cmd.exe	89
PID 4300 wrote to memory of 4796	4300	cmd.exe	89
PID 4300 wrote to memory of 4840	4300	cmd.exe	90
PID 4300 wrote to memory of 4840	4300	cmd.exe	90
PID 4300 wrote to memory of 4840	4300	cmd.exe	90
PID 4300 wrote to memory of 4848	4300	cmd.exe	91
PID 4300 wrote to memory of 4848	4300	cmd.exe	91
PID 4300 wrote to memory of 4848	4300	cmd.exe	91
PID 4300 wrote to memory of 3968	4300	cmd.exe	92
PID 4300 wrote to memory of 3968	4300	cmd.exe	92
PID 4300 wrote to memory of 3968	4300	cmd.exe	92
PID 4300 wrote to memory of 2272	4300	cmd.exe	93
PID 4300 wrote to memory of 2272	4300	cmd.exe	93
PID 4300 wrote to memory of 2272	4300	cmd.exe	93
PID 4300 wrote to memory of 2576	4300	cmd.exe	94
PID 4300 wrote to memory of 2576	4300	cmd.exe	94
PID 4300 wrote to memory of 2576	4300	cmd.exe	94
PID 4300 wrote to memory of 2308	4300	cmd.exe	95
PID 4300 wrote to memory of 2308	4300	cmd.exe	95
PID 4300 wrote to memory of 2308	4300	cmd.exe	95
PID 4300 wrote to memory of 2424	4300	cmd.exe	96
PID 4300 wrote to memory of 2424	4300	cmd.exe	96
PID 4300 wrote to memory of 2424	4300	cmd.exe	96
PID 4300 wrote to memory of 4828	4300	cmd.exe	97
PID 4300 wrote to memory of 4828	4300	cmd.exe	97
PID 4300 wrote to memory of 4828	4300	cmd.exe	97
PID 4300 wrote to memory of 1236	4300	cmd.exe	98
PID 4300 wrote to memory of 1236	4300	cmd.exe	98
PID 4300 wrote to memory of 1236	4300	cmd.exe	98
PID 4300 wrote to memory of 1412	4300	cmd.exe	99
PID 4300 wrote to memory of 1412	4300	cmd.exe	99
PID 4300 wrote to memory of 1412	4300	cmd.exe	99
PID 4300 wrote to memory of 1436	4300	cmd.exe	100
PID 4300 wrote to memory of 1436	4300	cmd.exe	100
PID 4300 wrote to memory of 1436	4300	cmd.exe	100
PID 4300 wrote to memory of 3744	4300	cmd.exe	101
PID 4300 wrote to memory of 3744	4300	cmd.exe	101
PID 4300 wrote to memory of 3744	4300	cmd.exe	101
PID 4300 wrote to memory of 4904	4300	cmd.exe	102
PID 4300 wrote to memory of 4904	4300	cmd.exe	102
PID 4300 wrote to memory of 4904	4300	cmd.exe	102
PID 4300 wrote to memory of 808	4300	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe
"C:\Users\Admin\AppData\Local\Temp\082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  /c ""C:\Users\Admin\AppData\Local\Temp\240560609.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\net.exe
    NET USE H: /delete
    3⤵
    - Enumerates connected drives
    PID:2116
- - C:\Windows\SysWOW64\net.exe
    NET USE I: /delete
    3⤵
    - Enumerates connected drives
    PID:892
- - C:\Windows\SysWOW64\net.exe
    NET USE L: /delete
    3⤵
    - Enumerates connected drives
    PID:3836
- - C:\Windows\SysWOW64\net.exe
    NET USE K: /delete
    3⤵
    - Enumerates connected drives
    PID:2136
- - C:\Windows\SysWOW64\net.exe
    NET USE J: /delete
    3⤵
    - Enumerates connected drives
    PID:528
- - C:\Windows\SysWOW64\net.exe
    NET USE M: /delete
    3⤵
    - Enumerates connected drives
    PID:4604
- - C:\Windows\SysWOW64\net.exe
    NET USE N: /delete
    3⤵
    - Enumerates connected drives
    PID:4796
- - C:\Windows\SysWOW64\net.exe
    NET USE O: /delete
    3⤵
    - Enumerates connected drives
    PID:4840
- - C:\Windows\SysWOW64\net.exe
    NET USE P: /delete
    3⤵
    - Enumerates connected drives
    PID:4848
- - C:\Windows\SysWOW64\net.exe
    NET USE Q: /delete
    3⤵
    - Enumerates connected drives
    PID:3968
- - C:\Windows\SysWOW64\net.exe
    NET USE R: /delete
    3⤵
    - Enumerates connected drives
    PID:2272
- - C:\Windows\SysWOW64\net.exe
    NET USE S: /delete
    3⤵
    - Enumerates connected drives
    PID:2576
- - C:\Windows\SysWOW64\net.exe
    NET USE T: /delete
    3⤵
    - Enumerates connected drives
    PID:2308
- - C:\Windows\SysWOW64\net.exe
    NET USE U: /delete
    3⤵
    - Enumerates connected drives
    PID:2424
- - C:\Windows\SysWOW64\net.exe
    NET USE V: /delete
    3⤵
    - Enumerates connected drives
    PID:4828
- - C:\Windows\SysWOW64\net.exe
    NET USE W: /delete
    3⤵
    - Enumerates connected drives
    PID:1236
- - C:\Windows\SysWOW64\net.exe
    NET USE X: /delete
    3⤵
    - Enumerates connected drives
    PID:1412
- - C:\Windows\SysWOW64\net.exe
    NET USE Y: /delete
    3⤵
    - Enumerates connected drives
    PID:1436
- - C:\Windows\SysWOW64\net.exe
    NET USE Z: /delete
    3⤵
    - Enumerates connected drives
    PID:3744
- - C:\Windows\SysWOW64\cmdkey.exe
    cmdkey /add:192.168.1.206 /user:sgsgictsup /pass:sgictsup-rw33122060afk
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\net.exe
    NET USE N: \\192.168.1.206\Drivers /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:808
- - C:\Windows\SysWOW64\net.exe
    NET USE O: \\192.168.1.206\Information /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:924
- - C:\Windows\SysWOW64\net.exe
    NET USE P: \\192.168.1.206\privacy /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:4476
- - C:\Windows\SysWOW64\net.exe
    NET USE R: \\192.168.1.206\è╟ù¥òö /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:3476
- - C:\Windows\SysWOW64\net.exe
    NET USE S: \\192.168.1.206\îoù¥Ä║ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:3596
- - C:\Windows\SysWOW64\net.exe
    NET USE T: \\192.168.1.206\É}ÅæÄ║ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:3624
- - C:\Windows\SysWOW64\net.exe
    NET USE U: \\192.168.1.206\ôîï₧ò█êτÉΩû
    3⤵
    - Enumerates connected drives
    PID:3692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240560609.bat

Filesize
1KB

MD5
60ec40eac92ae3470a8eb7eb715b2472

SHA1
0afeb264f50da70626c5c1686d7906474a1baee9

SHA256
00e9de57fc8370063ac015b1d9428e38d51f4a8093cc223c610b7d46ed9c45e4

SHA512
90a46044abb99d7456a71e8c0fece91d7943e092099e0332c43ccc6c213c3db51eb463ddc729c5bae27b11d3d9caf648d6ee228af5440597c3abe3a78e72697b

Download Submit