4e7a06b20666a62613cca9f75ae58a35cfc5d721c05c8b435170a4e8024ba87e

Resubmissions

20-07-2023 06:12

230720-gyc5eadf7x 10

07-12-2022 01:02

221207-bdw4wsdf7t 10

Analysis

max time kernel
762s
max time network
898s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

简历.zip
Size

168KB
MD5

f1c56cc405029826cf7a21a1394bf18e
SHA1

1b9080ac30d6fc8963457e90aa9d5e56bb7eace0
SHA256

4e7a06b20666a62613cca9f75ae58a35cfc5d721c05c8b435170a4e8024ba87e
SHA512

31597e85de1b58bfadc88f2b79bc0f7dcaa79d8d63cdb4517cb35f7d99df643ab34b096931af44029e3c16c5ed6a183437009a4dc144c65cbf15034c7c6caa53
SSDEEP

3072:v0qEgiHe4UvUmvUVCn/CudT8opk05O/q9hLLePw/95HMxlvFiqbM9PjX:nQewOv/DqoXQ/q9hvX15HMxl08OjX

Score

1^/10

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1672 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1708 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1672 tasklist.exe
Token: SeDebugPrivilege 1708 NETSTAT.EXE

pid	process
1672	tasklist.exe

pid	process
1708	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1672	tasklist.exe
Token: SeDebugPrivilege	1708	NETSTAT.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1212 wrote to memory of 1672	1212	cmd.exe	tasklist.exe
PID 1212 wrote to memory of 1672	1212	cmd.exe	tasklist.exe
PID 1212 wrote to memory of 1672	1212	cmd.exe	tasklist.exe
PID 1212 wrote to memory of 1708	1212	cmd.exe	NETSTAT.EXE
PID 1212 wrote to memory of 1708	1212	cmd.exe	NETSTAT.EXE
PID 1212 wrote to memory of 1708	1212	cmd.exe	NETSTAT.EXE

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\简历.zip
1⤵
PID:1096

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\NETSTAT.EXE
netstat -ano
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Users\Admin\Desktop\简历\+=+·\-¦¦p+¿+¦-++-+ -¦¦--¦=-º .exe
"C:\Users\Admin\Desktop\简历\+=+·\-¦¦p+¿+¦-++-+ -¦¦--¦=-º .exe"
1⤵
PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-54-0x0000000000000000-mapping.dmp

Download
memory/1708-55-0x0000000000000000-mapping.dmp

Download