Overview
overview
1Static
static
1Agenda21.pdf
windows7-x64
1Agenda21.pdf
windows10-2004-x64
1ImportantI...on.exe
windows7-x64
1ImportantI...on.exe
windows10-2004-x64
1RocketScience.pdf
windows7-x64
1RocketScience.pdf
windows10-2004-x64
1nato secur...ng.pdf
windows7-x64
1nato secur...ng.pdf
windows10-2004-x64
1Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06/03/2023, 19:37
Static task
static1
Behavioral task
behavioral1
Sample
Agenda21.pdf
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
Agenda21.pdf
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ImportantInformation.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
ImportantInformation.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
RocketScience.pdf
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
RocketScience.pdf
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
nato security briefing.pdf
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
nato security briefing.pdf
Resource
win10v2004-20230221-en
windows10-2004-x64
General
-
Target
ImportantInformation.exe
-
Size
2.6MB
-
MD5
d64b18f7070505c6ed7c39588ceb7371
-
SHA1
defe294f2e4567c5b66f6d66c0c7d86cd7cb9ff0
-
SHA256
70fefe7f6112ca31d5d61a80802fcad687fad6b51ae405d25ac796df776084bd
-
SHA512
a68b9b73a30e267ebdf9ad03fd6518d6d688b63eb560facb19370980dccaa60eb85bb3dab91361213dbdd250b13c6caf486319634c377488bc35beb00fe2d838
-
SSDEEP
49152:ZCFvGLWrb/TgvO90dL3BmAFd4A64nsfJhUVUWCqgO3HWAlCD13R4fVdm9HCp7EvS:cFquU27Z4k2q+gYNk
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 932 WMIC.exe Token: SeSecurityPrivilege 932 WMIC.exe Token: SeTakeOwnershipPrivilege 932 WMIC.exe Token: SeLoadDriverPrivilege 932 WMIC.exe Token: SeSystemProfilePrivilege 932 WMIC.exe Token: SeSystemtimePrivilege 932 WMIC.exe Token: SeProfSingleProcessPrivilege 932 WMIC.exe Token: SeIncBasePriorityPrivilege 932 WMIC.exe Token: SeCreatePagefilePrivilege 932 WMIC.exe Token: SeBackupPrivilege 932 WMIC.exe Token: SeRestorePrivilege 932 WMIC.exe Token: SeShutdownPrivilege 932 WMIC.exe Token: SeDebugPrivilege 932 WMIC.exe Token: SeSystemEnvironmentPrivilege 932 WMIC.exe Token: SeRemoteShutdownPrivilege 932 WMIC.exe Token: SeUndockPrivilege 932 WMIC.exe Token: SeManageVolumePrivilege 932 WMIC.exe Token: 33 932 WMIC.exe Token: 34 932 WMIC.exe Token: 35 932 WMIC.exe Token: SeIncreaseQuotaPrivilege 932 WMIC.exe Token: SeSecurityPrivilege 932 WMIC.exe Token: SeTakeOwnershipPrivilege 932 WMIC.exe Token: SeLoadDriverPrivilege 932 WMIC.exe Token: SeSystemProfilePrivilege 932 WMIC.exe Token: SeSystemtimePrivilege 932 WMIC.exe Token: SeProfSingleProcessPrivilege 932 WMIC.exe Token: SeIncBasePriorityPrivilege 932 WMIC.exe Token: SeCreatePagefilePrivilege 932 WMIC.exe Token: SeBackupPrivilege 932 WMIC.exe Token: SeRestorePrivilege 932 WMIC.exe Token: SeShutdownPrivilege 932 WMIC.exe Token: SeDebugPrivilege 932 WMIC.exe Token: SeSystemEnvironmentPrivilege 932 WMIC.exe Token: SeRemoteShutdownPrivilege 932 WMIC.exe Token: SeUndockPrivilege 932 WMIC.exe Token: SeManageVolumePrivilege 932 WMIC.exe Token: 33 932 WMIC.exe Token: 34 932 WMIC.exe Token: 35 932 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1956 1996 ImportantInformation.exe 27 PID 1996 wrote to memory of 1956 1996 ImportantInformation.exe 27 PID 1996 wrote to memory of 1956 1996 ImportantInformation.exe 27 PID 1956 wrote to memory of 932 1956 cmd.exe 29 PID 1956 wrote to memory of 932 1956 cmd.exe 29 PID 1956 wrote to memory of 932 1956 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\ImportantInformation.exe"C:\Users\Admin\AppData\Local\Temp\ImportantInformation.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\cmd.execmd /C wmic /namespace:\\root\wmi PATH MSAcpi_ThermalZoneTemperature get CurrentTemperature2⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\wmi PATH MSAcpi_ThermalZoneTemperature get CurrentTemperature3⤵
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-