Overview

overview

6

Static

static

get_all.exe

windows7-x64

6

get_all.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    27s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2023, 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    get_all.exe

  • Size

    14KB

  • MD5

    027f5e4fc96f33900bd2bd718523d4c8

  • SHA1

    08525c94ecddc4726a51d93f38d5279b9873ea2b

  • SHA256

    9a5e141df08a722f09f67875304380dd41de01c4ccaf5b40527fa1aef43512e8

  • SHA512

    cf5d37a424fab8f26ff978b2cc8726783fffb54a146d19947f8ea20e2378c2810aa9676b9da50626a03741c3e66205f60ec0ed82a45b9ba526c1eda4ba3278b4

  • SSDEEP

    384:Ic6IZMgwObRIHdLcO0avRHTiRfuugtNKS1f51BTl6Zkg:tjl9I9LcxgTKIBB6Zkg

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\get_all.exe
    "C:\Users\Admin\AppData\Local\Temp\get_all.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C whoami
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\system32\whoami.exe
        whoami
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1932
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C net user
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\system32\net.exe
        net user
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 user
          4⤵
            PID:740
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C ipconfig /all
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\system32\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:1072
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C tasklist /svc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1176
        • C:\Windows\system32\tasklist.exe
          tasklist /svc
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1724
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C netstat -ano
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:628
        • C:\Windows\system32\NETSTAT.EXE
          netstat -ano
          3⤵
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:288
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C cmdkey /list
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\system32\cmdkey.exe
          cmdkey /list
          3⤵
            PID:1880
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /C systeminfo
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Windows\system32\systeminfo.exe
            systeminfo
            3⤵
            • Gathers system information
            PID:1224

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1880-69-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2036-55-0x0000000000490000-0x0000000000510000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2036-54-0x000007FEF40D0000-0x000007FEF4AF3000-memory.dmp

        Filesize

        10.1MB

        Download