41120e3a67adf60660a944f4407a4e55e2913c7d4e46710653675e3ad20cf64c

Analysis

max time kernel
49s
max time network
29s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sky net for W3/sky net for W3.exe
Size

372KB
MD5

b1453e8dad772d9bd589a7ed3b9b2098
SHA1

0e61d3e31b7339a20453cd77a4471b45a870b14b
SHA256

f6dec3e90080418799406aaf1f3ae35e448374c36f0c888790307fe6be3f766e
SHA512

1e27c0820d15849ffe5ce13ac6498f415875671ee30d234addae01a758745b1c263aa8115d99ceb06253744184e7fc647dfaec7a57bebf4f7f9114c799e3ac72
SSDEEP

6144:Cn/J6Xt0rr2ss7jrT+A0vdaIArVxiyBb8fDukrEbU+dEaIQ1fmekC9nvKpjleYj8:Qx6XtCrlArV1B0DgA+dEaIQ1fmekC9nP

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1096	sky net for W3.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe
1096	sky net for W3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	sky net for W3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 368	1096	sky net for W3.exe	5
PID 1096 wrote to memory of 368	1096	sky net for W3.exe	5
PID 1096 wrote to memory of 368	1096	sky net for W3.exe	5
PID 1096 wrote to memory of 368	1096	sky net for W3.exe	5
PID 1096 wrote to memory of 368	1096	sky net for W3.exe	5
PID 1096 wrote to memory of 368	1096	sky net for W3.exe	5
PID 1096 wrote to memory of 368	1096	sky net for W3.exe	5
PID 1096 wrote to memory of 376	1096	sky net for W3.exe	4
PID 1096 wrote to memory of 376	1096	sky net for W3.exe	4
PID 1096 wrote to memory of 376	1096	sky net for W3.exe	4
PID 1096 wrote to memory of 376	1096	sky net for W3.exe	4
PID 1096 wrote to memory of 376	1096	sky net for W3.exe	4
PID 1096 wrote to memory of 376	1096	sky net for W3.exe	4
PID 1096 wrote to memory of 376	1096	sky net for W3.exe	4
PID 1096 wrote to memory of 416	1096	sky net for W3.exe	3
PID 1096 wrote to memory of 416	1096	sky net for W3.exe	3
PID 1096 wrote to memory of 416	1096	sky net for W3.exe	3
PID 1096 wrote to memory of 416	1096	sky net for W3.exe	3
PID 1096 wrote to memory of 416	1096	sky net for W3.exe	3
PID 1096 wrote to memory of 416	1096	sky net for W3.exe	3
PID 1096 wrote to memory of 416	1096	sky net for W3.exe	3
PID 1096 wrote to memory of 464	1096	sky net for W3.exe	2
PID 1096 wrote to memory of 464	1096	sky net for W3.exe	2
PID 1096 wrote to memory of 464	1096	sky net for W3.exe	2
PID 1096 wrote to memory of 464	1096	sky net for W3.exe	2
PID 1096 wrote to memory of 464	1096	sky net for W3.exe	2
PID 1096 wrote to memory of 464	1096	sky net for W3.exe	2
PID 1096 wrote to memory of 464	1096	sky net for W3.exe	2
PID 1096 wrote to memory of 472	1096	sky net for W3.exe	1
PID 1096 wrote to memory of 472	1096	sky net for W3.exe	1
PID 1096 wrote to memory of 472	1096	sky net for W3.exe	1
PID 1096 wrote to memory of 472	1096	sky net for W3.exe	1
PID 1096 wrote to memory of 472	1096	sky net for W3.exe	1
PID 1096 wrote to memory of 472	1096	sky net for W3.exe	1
PID 1096 wrote to memory of 472	1096	sky net for W3.exe	1
PID 1096 wrote to memory of 480	1096	sky net for W3.exe	8
PID 1096 wrote to memory of 480	1096	sky net for W3.exe	8
PID 1096 wrote to memory of 480	1096	sky net for W3.exe	8
PID 1096 wrote to memory of 480	1096	sky net for W3.exe	8
PID 1096 wrote to memory of 480	1096	sky net for W3.exe	8
PID 1096 wrote to memory of 480	1096	sky net for W3.exe	8
PID 1096 wrote to memory of 480	1096	sky net for W3.exe	8
PID 1096 wrote to memory of 596	1096	sky net for W3.exe	21
PID 1096 wrote to memory of 596	1096	sky net for W3.exe	21
PID 1096 wrote to memory of 596	1096	sky net for W3.exe	21
PID 1096 wrote to memory of 596	1096	sky net for W3.exe	21
PID 1096 wrote to memory of 596	1096	sky net for W3.exe	21
PID 1096 wrote to memory of 596	1096	sky net for W3.exe	21
PID 1096 wrote to memory of 596	1096	sky net for W3.exe	21
PID 1096 wrote to memory of 672	1096	sky net for W3.exe	20
PID 1096 wrote to memory of 672	1096	sky net for W3.exe	20
PID 1096 wrote to memory of 672	1096	sky net for W3.exe	20
PID 1096 wrote to memory of 672	1096	sky net for W3.exe	20
PID 1096 wrote to memory of 672	1096	sky net for W3.exe	20
PID 1096 wrote to memory of 672	1096	sky net for W3.exe	20
PID 1096 wrote to memory of 672	1096	sky net for W3.exe	20
PID 1096 wrote to memory of 756	1096	sky net for W3.exe	19
PID 1096 wrote to memory of 756	1096	sky net for W3.exe	19
PID 1096 wrote to memory of 756	1096	sky net for W3.exe	19
PID 1096 wrote to memory of 756	1096	sky net for W3.exe	19
PID 1096 wrote to memory of 756	1096	sky net for W3.exe	19
PID 1096 wrote to memory of 756	1096	sky net for W3.exe	19
PID 1096 wrote to memory of 756	1096	sky net for W3.exe	19
PID 1096 wrote to memory of 800	1096	sky net for W3.exe	9

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:800
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1192
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:880
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:1848
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:980
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1128
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1064
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:756
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1992
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:808
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1212

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\sky net for W3\sky net for W3.exe
  "C:\Users\Admin\AppData\Local\Temp\sky net for W3\sky net for W3.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1096-55-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1096-56-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download