a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7

Analysis

max time kernel
151s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe
Size

1.9MB
MD5

a5bcf3cf4809d57bcf38d99b205272c2
SHA1

e32c158f2f974be675793900a64054ff229b5423
SHA256

a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7
SHA512

5cad7bfdd1fb47f3f2f7e974bfcc028a14d149fa176c2327c3146442c044752aba5c6b348642c460ffa2772db5900bdf2c11d49bb5fd8a16d4201745d6c199c5
SSDEEP

49152:MawZsUUeD9jFldRSXgFzD6LSDS2wV4M/1pvCupGnOn:MnnUeDtSQFzD6LS2dVbtpvCROn

Score

1^/10

Malware Config

Signatures

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3884 ipconfig.exe

pid	process
3884	ipconfig.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe

pid	process
2676	a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe
2676	a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe

pid	process
2676	a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe
2676	a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe

pid	process
2676	a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe
2676	a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe

description	pid	process	target process
PID 2676 wrote to memory of 3884	2676	a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe	ipconfig.exe
PID 2676 wrote to memory of 3884	2676	a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe	ipconfig.exe
PID 2676 wrote to memory of 3884	2676	a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe
"C:\Users\Admin\AppData\Local\Temp\a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:3884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2676-132-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2676-133-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2676-134-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2676-135-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2676-137-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/3884-136-0x0000000000000000-mapping.dmp

Download