81a64a2fe6fd51cb47efc753a6ee9854b2721f0700b9ce94fa9961a5d63c79a3

Analysis

max time kernel
89s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2022, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Damned-Beta.exe
Size

40.0MB
MD5

493d4ce25a3d5e9e86650edb5d119356
SHA1

3cadf2ea6ea7fbdca219dc877a5d6a1d25a1ab12
SHA256

6c5d25d37cd1651863310bbfb85f5b13a768d565db963d1d849883dab9d9e58d
SHA512

d75881020ea92789892e5757d252f7fc3f530278b40b356644f4926c10da658653f36c8fe8a0beec9a6151ae667e5f4f7e5b62c7ea9ac0533a00aaad5bdf6784
SSDEEP

393216:Z1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYf5:ZMguj8Q4VfvSqFTrY8bbJ2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4636	Damned-Beta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	736	WMIC.exe
Token: SeSecurityPrivilege	736	WMIC.exe
Token: SeTakeOwnershipPrivilege	736	WMIC.exe
Token: SeLoadDriverPrivilege	736	WMIC.exe
Token: SeSystemProfilePrivilege	736	WMIC.exe
Token: SeSystemtimePrivilege	736	WMIC.exe
Token: SeProfSingleProcessPrivilege	736	WMIC.exe
Token: SeIncBasePriorityPrivilege	736	WMIC.exe
Token: SeCreatePagefilePrivilege	736	WMIC.exe
Token: SeBackupPrivilege	736	WMIC.exe
Token: SeRestorePrivilege	736	WMIC.exe
Token: SeShutdownPrivilege	736	WMIC.exe
Token: SeDebugPrivilege	736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	736	WMIC.exe
Token: SeRemoteShutdownPrivilege	736	WMIC.exe
Token: SeUndockPrivilege	736	WMIC.exe
Token: SeManageVolumePrivilege	736	WMIC.exe
Token: 33	736	WMIC.exe
Token: 34	736	WMIC.exe
Token: 35	736	WMIC.exe
Token: 36	736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	736	WMIC.exe
Token: SeSecurityPrivilege	736	WMIC.exe
Token: SeTakeOwnershipPrivilege	736	WMIC.exe
Token: SeLoadDriverPrivilege	736	WMIC.exe
Token: SeSystemProfilePrivilege	736	WMIC.exe
Token: SeSystemtimePrivilege	736	WMIC.exe
Token: SeProfSingleProcessPrivilege	736	WMIC.exe
Token: SeIncBasePriorityPrivilege	736	WMIC.exe
Token: SeCreatePagefilePrivilege	736	WMIC.exe
Token: SeBackupPrivilege	736	WMIC.exe
Token: SeRestorePrivilege	736	WMIC.exe
Token: SeShutdownPrivilege	736	WMIC.exe
Token: SeDebugPrivilege	736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	736	WMIC.exe
Token: SeRemoteShutdownPrivilege	736	WMIC.exe
Token: SeUndockPrivilege	736	WMIC.exe
Token: SeManageVolumePrivilege	736	WMIC.exe
Token: 33	736	WMIC.exe
Token: 34	736	WMIC.exe
Token: 35	736	WMIC.exe
Token: 36	736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe
Token: SeSystemProfilePrivilege	4156	WMIC.exe
Token: SeSystemtimePrivilege	4156	WMIC.exe
Token: SeProfSingleProcessPrivilege	4156	WMIC.exe
Token: SeIncBasePriorityPrivilege	4156	WMIC.exe
Token: SeCreatePagefilePrivilege	4156	WMIC.exe
Token: SeBackupPrivilege	4156	WMIC.exe
Token: SeRestorePrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4156	WMIC.exe
Token: SeRemoteShutdownPrivilege	4156	WMIC.exe
Token: SeUndockPrivilege	4156	WMIC.exe
Token: SeManageVolumePrivilege	4156	WMIC.exe
Token: 33	4156	WMIC.exe
Token: 34	4156	WMIC.exe
Token: 35	4156	WMIC.exe
Token: 36	4156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 5032	4636	Damned-Beta.exe	83
PID 4636 wrote to memory of 5032	4636	Damned-Beta.exe	83
PID 5032 wrote to memory of 736	5032	cmd.exe	84
PID 5032 wrote to memory of 736	5032	cmd.exe	84
PID 4636 wrote to memory of 1176	4636	Damned-Beta.exe	85
PID 4636 wrote to memory of 1176	4636	Damned-Beta.exe	85
PID 1176 wrote to memory of 4156	1176	cmd.exe	86
PID 1176 wrote to memory of 4156	1176	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\Damned-Beta.exe
"C:\Users\Admin\AppData\Local\Temp\Damned-Beta.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pkg\c81fabc0623e7de99aac6d66144787df524f8bb678beb4187eded56defbb9cf4\node-dpapi.node

Filesize
154KB

MD5
c97e82657d4bb509459f6be05597af6d

SHA1
253dba77ba1c588fa056e95ac13d781b5a9b3e09

SHA256
c81fabc0623e7de99aac6d66144787df524f8bb678beb4187eded56defbb9cf4

SHA512
5a06780b12d5390b52e145c27aa41450de6e427be744a6bded4e6a4438bc21c88ecbdcf923c3485a0a955f55a625cdc9550ba89c1091b814aa392d7b56961ba6

Download Submit