4e494a7c6b5c0981c5226023cb7081668b64caf116e67031ccbb3fa988d3b8c2

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/01/2023, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.4MB
MD5

4824fac10958a33ed695d0172bdd5be4
SHA1

f403c205b673a5332e0996a8c4ab8034638e3629
SHA256

4e494a7c6b5c0981c5226023cb7081668b64caf116e67031ccbb3fa988d3b8c2
SHA512

ebfea0cee217e97b31bd57d62723f296571f442817df33da464c7a4096a8b0512b94b0b02e40c24851fa481ff40e7d0d75bab1e69619f7d39ed2bc2520cbee1f
SSDEEP

24576:IwAFBUfhs66Man9IIW2Y5fsmMaebkCxvH6muQ5y3h34l2it:wL66MaSIpWral2it

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	whoami.exe
Token: SeDebugPrivilege	1312	whoami.exe
Token: SeDebugPrivilege	1164	whoami.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1620	1992	tmp.exe	29
PID 1992 wrote to memory of 1620	1992	tmp.exe	29
PID 1992 wrote to memory of 1620	1992	tmp.exe	29
PID 1992 wrote to memory of 1620	1992	tmp.exe	29
PID 1620 wrote to memory of 1656	1620	cmd.exe	30
PID 1620 wrote to memory of 1656	1620	cmd.exe	30
PID 1620 wrote to memory of 1656	1620	cmd.exe	30
PID 1620 wrote to memory of 1656	1620	cmd.exe	30
PID 1992 wrote to memory of 1712	1992	tmp.exe	31
PID 1992 wrote to memory of 1712	1992	tmp.exe	31
PID 1992 wrote to memory of 1712	1992	tmp.exe	31
PID 1992 wrote to memory of 1712	1992	tmp.exe	31
PID 1712 wrote to memory of 1496	1712	cmd.exe	32
PID 1712 wrote to memory of 1496	1712	cmd.exe	32
PID 1712 wrote to memory of 1496	1712	cmd.exe	32
PID 1712 wrote to memory of 1496	1712	cmd.exe	32
PID 1992 wrote to memory of 1584	1992	tmp.exe	33
PID 1992 wrote to memory of 1584	1992	tmp.exe	33
PID 1992 wrote to memory of 1584	1992	tmp.exe	33
PID 1992 wrote to memory of 1584	1992	tmp.exe	33
PID 1992 wrote to memory of 1508	1992	tmp.exe	34
PID 1992 wrote to memory of 1508	1992	tmp.exe	34
PID 1992 wrote to memory of 1508	1992	tmp.exe	34
PID 1992 wrote to memory of 1508	1992	tmp.exe	34
PID 1508 wrote to memory of 1312	1508	cmd.exe	35
PID 1508 wrote to memory of 1312	1508	cmd.exe	35
PID 1508 wrote to memory of 1312	1508	cmd.exe	35
PID 1508 wrote to memory of 1312	1508	cmd.exe	35
PID 1992 wrote to memory of 908	1992	tmp.exe	36
PID 1992 wrote to memory of 908	1992	tmp.exe	36
PID 1992 wrote to memory of 908	1992	tmp.exe	36
PID 1992 wrote to memory of 908	1992	tmp.exe	36
PID 908 wrote to memory of 328	908	cmd.exe	37
PID 908 wrote to memory of 328	908	cmd.exe	37
PID 908 wrote to memory of 328	908	cmd.exe	37
PID 908 wrote to memory of 328	908	cmd.exe	37
PID 1992 wrote to memory of 1808	1992	tmp.exe	38
PID 1992 wrote to memory of 1808	1992	tmp.exe	38
PID 1992 wrote to memory of 1808	1992	tmp.exe	38
PID 1992 wrote to memory of 1808	1992	tmp.exe	38
PID 1992 wrote to memory of 268	1992	tmp.exe	39
PID 1992 wrote to memory of 268	1992	tmp.exe	39
PID 1992 wrote to memory of 268	1992	tmp.exe	39
PID 1992 wrote to memory of 268	1992	tmp.exe	39
PID 268 wrote to memory of 1164	268	cmd.exe	40
PID 268 wrote to memory of 1164	268	cmd.exe	40
PID 268 wrote to memory of 1164	268	cmd.exe	40
PID 268 wrote to memory of 1164	268	cmd.exe	40
PID 1992 wrote to memory of 1688	1992	tmp.exe	41
PID 1992 wrote to memory of 1688	1992	tmp.exe	41
PID 1992 wrote to memory of 1688	1992	tmp.exe	41
PID 1992 wrote to memory of 1688	1992	tmp.exe	41
PID 1688 wrote to memory of 976	1688	cmd.exe	42
PID 1688 wrote to memory of 976	1688	cmd.exe	42
PID 1688 wrote to memory of 976	1688	cmd.exe	42
PID 1688 wrote to memory of 976	1688	cmd.exe	42
PID 1992 wrote to memory of 308	1992	tmp.exe	43
PID 1992 wrote to memory of 308	1992	tmp.exe	43
PID 1992 wrote to memory of 308	1992	tmp.exe	43
PID 1992 wrote to memory of 308	1992	tmp.exe	43

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c whoami > c.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c hostname > c.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\HOSTNAME.EXE
    hostname
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c dir > c.txt
  2⤵
  PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c whoami > c.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c hostname > c.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\HOSTNAME.EXE
    hostname
    3⤵
    PID:328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c dir > c.txt
  2⤵
  PID:1808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c whoami > c.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c hostname > c.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\HOSTNAME.EXE
    hostname
    3⤵
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c dir > c.txt
  2⤵
  PID:308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.txt

Filesize
16B

MD5
1f8d5c45201955980074996264e3055e

SHA1
6bd4a5c17b76d5fc1f524e25a3a5dd64ed41eb08

SHA256
3dd8dd94482125b52c822c2eae2a0682600620c986f363fa788b60dc10d36f3b

SHA512
c610a4109261b0d0796ace7a9bf18dbde887c8cc19bebaa9d9a3275e967ac7f33d8faa93f8a1215f95e301cdf7724763e12dc7f09f1fba8d2b29e75f8b660741

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.txt

Filesize
10B

MD5
ba3ac0fbe7151a821781c1a7df7d41c8

SHA1
3ad298fcfbc4e08fd1e7d2c4a9f28b6b5b5d1ba9

SHA256
b0f595d970a7d10839b72b46af11cd1d399611fe833641af4cfeba4fcd4ea464

SHA512
5ef7a8b9a22e94f6612acbe308d828b91b016daf634250ae3bdc2092020b223999e65ccef34ee3d02c2b2413ae9d1b6030c619efb2d77e61d11e142f954c40e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.txt

Filesize
3KB

MD5
b9e20a37b0e5678927ed22876290e179

SHA1
ea053b39fbcb0778424e36b961455e95db1f25e4

SHA256
746f9d41151b48911d83eae4bfccb878830d20eb569092e58a0608a64e2bc329

SHA512
2f8222020be40ece6753f693aede445153e1b283a83a7ae6b5f724746ca951de2c94de6a36e0981aa6de65af9104633cff18c0b708535ba15617cfe5339d0fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.txt

Filesize
16B

MD5
1f8d5c45201955980074996264e3055e

SHA1
6bd4a5c17b76d5fc1f524e25a3a5dd64ed41eb08

SHA256
3dd8dd94482125b52c822c2eae2a0682600620c986f363fa788b60dc10d36f3b

SHA512
c610a4109261b0d0796ace7a9bf18dbde887c8cc19bebaa9d9a3275e967ac7f33d8faa93f8a1215f95e301cdf7724763e12dc7f09f1fba8d2b29e75f8b660741

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.txt

Filesize
10B

MD5
ba3ac0fbe7151a821781c1a7df7d41c8

SHA1
3ad298fcfbc4e08fd1e7d2c4a9f28b6b5b5d1ba9

SHA256
b0f595d970a7d10839b72b46af11cd1d399611fe833641af4cfeba4fcd4ea464

SHA512
5ef7a8b9a22e94f6612acbe308d828b91b016daf634250ae3bdc2092020b223999e65ccef34ee3d02c2b2413ae9d1b6030c619efb2d77e61d11e142f954c40e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.txt

Filesize
3KB

MD5
e59027a9f8f8acdfc393d2b39a277ee9

SHA1
f6eb32ddf843c284c2ea9a18234aef1a55553d53

SHA256
5517a2d6f0f217a8ac77fed4e5cc502db94299d9f8d4c60f7bd1efe6c591f3ae

SHA512
fc598575f7b6ef91d2d0a655762f2c8073c9decbeee41cc4c999690fe40abc185fa235992eb4339e718ac7c98b319e12d5e7fa8ff696ca3cca7cdfdaf49f7759

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.txt

Filesize
16B

MD5
1f8d5c45201955980074996264e3055e

SHA1
6bd4a5c17b76d5fc1f524e25a3a5dd64ed41eb08

SHA256
3dd8dd94482125b52c822c2eae2a0682600620c986f363fa788b60dc10d36f3b

SHA512
c610a4109261b0d0796ace7a9bf18dbde887c8cc19bebaa9d9a3275e967ac7f33d8faa93f8a1215f95e301cdf7724763e12dc7f09f1fba8d2b29e75f8b660741

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.txt

Filesize
10B

MD5
ba3ac0fbe7151a821781c1a7df7d41c8

SHA1
3ad298fcfbc4e08fd1e7d2c4a9f28b6b5b5d1ba9

SHA256
b0f595d970a7d10839b72b46af11cd1d399611fe833641af4cfeba4fcd4ea464

SHA512
5ef7a8b9a22e94f6612acbe308d828b91b016daf634250ae3bdc2092020b223999e65ccef34ee3d02c2b2413ae9d1b6030c619efb2d77e61d11e142f954c40e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.txt

Filesize
3KB

MD5
4e671145294ecf6b132293f809203358

SHA1
845184ce976fd12aeab41eee3c3f22c7a20c78fe

SHA256
28f41cac7e429353aeb3d901df613a2272aaaba6ef696a226e52919d1b497646

SHA512
12ac07693a883f5641d2aea3b0730707014353f834c8afc689df80bf0f231e4014c7edf1d472ea52b79f717dc5e613c0cb15f137929abafc52b15061c7d07ff0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads