dc6f4504cce94fae8ca9ea856090de2f29ae7782fada96182fc01c093e4bb292

Analysis

max time kernel
426s
max time network
542s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc6f4504cce94fae8ca9ea856090de2f29ae7782fada96182fc01c093e4bb292.exe
Size

1.7MB
MD5

6f46e054f64095cdd33c8a91ddb10f2c
SHA1

d7268f8668fde3c9edbfb31f326620a99c1bfc04
SHA256

dc6f4504cce94fae8ca9ea856090de2f29ae7782fada96182fc01c093e4bb292
SHA512

c02c4b772004efdb45c4ec2b5b550d47ef5ed12e548a7866dbe049169be6de5b3b9842fff99202b9809cf14bb47a3050409c371798c322f52371fb9b1d0317e5
SSDEEP

49152:wC9fzeXGpYWoa2pFBva4d1Ml3OKY8EwNmDjEaggUvtcRv:VfKXG2WcFRxE3WbxDjEagPG1

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5072	DownloadManager.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	DownloadManager.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 5072	4396	dc6f4504cce94fae8ca9ea856090de2f29ae7782fada96182fc01c093e4bb292.exe	78
PID 4396 wrote to memory of 5072	4396	dc6f4504cce94fae8ca9ea856090de2f29ae7782fada96182fc01c093e4bb292.exe	78
PID 4396 wrote to memory of 5072	4396	dc6f4504cce94fae8ca9ea856090de2f29ae7782fada96182fc01c093e4bb292.exe	78

C:\Users\Admin\AppData\Local\Temp\dc6f4504cce94fae8ca9ea856090de2f29ae7782fada96182fc01c093e4bb292.exe
"C:\Users\Admin\AppData\Local\Temp\dc6f4504cce94fae8ca9ea856090de2f29ae7782fada96182fc01c093e4bb292.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\DownloadManager.exe
  "C:\Users\Admin\AppData\Local\Temp\config.xml" --dmlauncher --uploader
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DownloadManager.exe

Filesize
1.6MB

MD5
1ea016c071898502e2f72869e5d86402

SHA1
748907109ecddeb9950c02583e240657f5873a86

SHA256
dc4adf26fdfee4ee179aae6310d9c7a5dd7c04d5ca0954decd9889c120d8f9d6

SHA512
6afe6344fe0ef2587cf049431679d20dd9a9e8ed3f80c9469d122c88d09697051229ab165495acbcbe34369298c671e73bd9ebafce13b4f0934f7490bbf6eaf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DownloadManager.exe

Filesize
1.6MB

MD5
1ea016c071898502e2f72869e5d86402

SHA1
748907109ecddeb9950c02583e240657f5873a86

SHA256
dc4adf26fdfee4ee179aae6310d9c7a5dd7c04d5ca0954decd9889c120d8f9d6

SHA512
6afe6344fe0ef2587cf049431679d20dd9a9e8ed3f80c9469d122c88d09697051229ab165495acbcbe34369298c671e73bd9ebafce13b4f0934f7490bbf6eaf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.xml

Filesize
880B

MD5
301ed07a0adeee53a9ad96071078f6aa

SHA1
b93aa0c6fa2cfe6fc59d5cf27fc5f98ad116c311

SHA256
f47fbfcfa38b342236e30deab51b70b60c3c5a8a6883592754821ab1433c6788

SHA512
430ef44287422b6c9270fb6a7a545b4b9595a5a189d5818a2c788bd308c543d976afbd635e759643f4239f9c8bc6d9436328f48dd7226c611a1a044443500cb5

Download Submit
memory/5072-136-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-138-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download