81a64a2fe6fd51cb47efc753a6ee9854b2721f0700b9ce94fa9961a5d63c79a3

Analysis

max time kernel
53s
max time network
75s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31/12/2022, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Damned-Beta.exe
Size

40.0MB
MD5

493d4ce25a3d5e9e86650edb5d119356
SHA1

3cadf2ea6ea7fbdca219dc877a5d6a1d25a1ab12
SHA256

6c5d25d37cd1651863310bbfb85f5b13a768d565db963d1d849883dab9d9e58d
SHA512

d75881020ea92789892e5757d252f7fc3f530278b40b356644f4926c10da658653f36c8fe8a0beec9a6151ae667e5f4f7e5b62c7ea9ac0533a00aaad5bdf6784
SSDEEP

393216:Z1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYf5:ZMguj8Q4VfvSqFTrY8bbJ2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3540	Damned-Beta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4492	WMIC.exe
Token: SeSecurityPrivilege	4492	WMIC.exe
Token: SeTakeOwnershipPrivilege	4492	WMIC.exe
Token: SeLoadDriverPrivilege	4492	WMIC.exe
Token: SeSystemProfilePrivilege	4492	WMIC.exe
Token: SeSystemtimePrivilege	4492	WMIC.exe
Token: SeProfSingleProcessPrivilege	4492	WMIC.exe
Token: SeIncBasePriorityPrivilege	4492	WMIC.exe
Token: SeCreatePagefilePrivilege	4492	WMIC.exe
Token: SeBackupPrivilege	4492	WMIC.exe
Token: SeRestorePrivilege	4492	WMIC.exe
Token: SeShutdownPrivilege	4492	WMIC.exe
Token: SeDebugPrivilege	4492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4492	WMIC.exe
Token: SeRemoteShutdownPrivilege	4492	WMIC.exe
Token: SeUndockPrivilege	4492	WMIC.exe
Token: SeManageVolumePrivilege	4492	WMIC.exe
Token: 33	4492	WMIC.exe
Token: 34	4492	WMIC.exe
Token: 35	4492	WMIC.exe
Token: 36	4492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4492	WMIC.exe
Token: SeSecurityPrivilege	4492	WMIC.exe
Token: SeTakeOwnershipPrivilege	4492	WMIC.exe
Token: SeLoadDriverPrivilege	4492	WMIC.exe
Token: SeSystemProfilePrivilege	4492	WMIC.exe
Token: SeSystemtimePrivilege	4492	WMIC.exe
Token: SeProfSingleProcessPrivilege	4492	WMIC.exe
Token: SeIncBasePriorityPrivilege	4492	WMIC.exe
Token: SeCreatePagefilePrivilege	4492	WMIC.exe
Token: SeBackupPrivilege	4492	WMIC.exe
Token: SeRestorePrivilege	4492	WMIC.exe
Token: SeShutdownPrivilege	4492	WMIC.exe
Token: SeDebugPrivilege	4492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4492	WMIC.exe
Token: SeRemoteShutdownPrivilege	4492	WMIC.exe
Token: SeUndockPrivilege	4492	WMIC.exe
Token: SeManageVolumePrivilege	4492	WMIC.exe
Token: 33	4492	WMIC.exe
Token: 34	4492	WMIC.exe
Token: 35	4492	WMIC.exe
Token: 36	4492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4816	WMIC.exe
Token: SeSecurityPrivilege	4816	WMIC.exe
Token: SeTakeOwnershipPrivilege	4816	WMIC.exe
Token: SeLoadDriverPrivilege	4816	WMIC.exe
Token: SeSystemProfilePrivilege	4816	WMIC.exe
Token: SeSystemtimePrivilege	4816	WMIC.exe
Token: SeProfSingleProcessPrivilege	4816	WMIC.exe
Token: SeIncBasePriorityPrivilege	4816	WMIC.exe
Token: SeCreatePagefilePrivilege	4816	WMIC.exe
Token: SeBackupPrivilege	4816	WMIC.exe
Token: SeRestorePrivilege	4816	WMIC.exe
Token: SeShutdownPrivilege	4816	WMIC.exe
Token: SeDebugPrivilege	4816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4816	WMIC.exe
Token: SeRemoteShutdownPrivilege	4816	WMIC.exe
Token: SeUndockPrivilege	4816	WMIC.exe
Token: SeManageVolumePrivilege	4816	WMIC.exe
Token: 33	4816	WMIC.exe
Token: 34	4816	WMIC.exe
Token: 35	4816	WMIC.exe
Token: 36	4816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4816	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3920	3540	Damned-Beta.exe	67
PID 3540 wrote to memory of 3920	3540	Damned-Beta.exe	67
PID 3920 wrote to memory of 4492	3920	cmd.exe	68
PID 3920 wrote to memory of 4492	3920	cmd.exe	68
PID 3540 wrote to memory of 2072	3540	Damned-Beta.exe	70
PID 3540 wrote to memory of 2072	3540	Damned-Beta.exe	70
PID 2072 wrote to memory of 4816	2072	cmd.exe	71
PID 2072 wrote to memory of 4816	2072	cmd.exe	71

C:\Users\Admin\AppData\Local\Temp\Damned-Beta.exe
"C:\Users\Admin\AppData\Local\Temp\Damned-Beta.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\pkg\c81fabc0623e7de99aac6d66144787df524f8bb678beb4187eded56defbb9cf4\node-dpapi.node

Filesize
154KB

MD5
c97e82657d4bb509459f6be05597af6d

SHA1
253dba77ba1c588fa056e95ac13d781b5a9b3e09

SHA256
c81fabc0623e7de99aac6d66144787df524f8bb678beb4187eded56defbb9cf4

SHA512
5a06780b12d5390b52e145c27aa41450de6e427be744a6bded4e6a4438bc21c88ecbdcf923c3485a0a955f55a625cdc9550ba89c1091b814aa392d7b56961ba6

Download Submit