45e9824c87d284abd7072c0eb8c2bfdbeba2eb0b15005c36499df62d370f310e

Analysis

max time kernel
109s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2023, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

808KB
MD5

7cd39f854e71cb4fc42e0318032d0c4c
SHA1

63b231e6336be60d274c696e926c06a91ce85185
SHA256

45e9824c87d284abd7072c0eb8c2bfdbeba2eb0b15005c36499df62d370f310e
SHA512

150c7d04499734019de685a866861311a1e1eb56bd9926d9e4b35fbae20d2edebd2aa3ca0a045c9b84aa3751dd1ae6f115a725b2cb42b278c7d32f0c640e7acb
SSDEEP

24576:GCD34eBS4FDvRdNcsYk8BfOhFtoBtqC8JWhbr:v34R4FD9csYkqUF2tsgbr

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 3404	1476	tmp.exe	86
PID 1476 wrote to memory of 3404	1476	tmp.exe	86
PID 1476 wrote to memory of 4580	1476	tmp.exe	87
PID 1476 wrote to memory of 4580	1476	tmp.exe	87
PID 1476 wrote to memory of 2096	1476	tmp.exe	88
PID 1476 wrote to memory of 2096	1476	tmp.exe	88
PID 1476 wrote to memory of 428	1476	tmp.exe	89
PID 1476 wrote to memory of 428	1476	tmp.exe	89
PID 1476 wrote to memory of 428	1476	tmp.exe	89
PID 1476 wrote to memory of 2052	1476	tmp.exe	90
PID 1476 wrote to memory of 2052	1476	tmp.exe	90
PID 1476 wrote to memory of 4236	1476	tmp.exe	91
PID 1476 wrote to memory of 4236	1476	tmp.exe	91
PID 1476 wrote to memory of 1004	1476	tmp.exe	92
PID 1476 wrote to memory of 1004	1476	tmp.exe	92
PID 1476 wrote to memory of 648	1476	tmp.exe	93
PID 1476 wrote to memory of 648	1476	tmp.exe	93
PID 1476 wrote to memory of 2232	1476	tmp.exe	94
PID 1476 wrote to memory of 2232	1476	tmp.exe	94
PID 1476 wrote to memory of 5092	1476	tmp.exe	95
PID 1476 wrote to memory of 5092	1476	tmp.exe	95
PID 1476 wrote to memory of 3312	1476	tmp.exe	96
PID 1476 wrote to memory of 3312	1476	tmp.exe	96
PID 1476 wrote to memory of 4516	1476	tmp.exe	97
PID 1476 wrote to memory of 4516	1476	tmp.exe	97
PID 1476 wrote to memory of 1428	1476	tmp.exe	98
PID 1476 wrote to memory of 1428	1476	tmp.exe	98
PID 1476 wrote to memory of 1488	1476	tmp.exe	99
PID 1476 wrote to memory of 1488	1476	tmp.exe	99
PID 1476 wrote to memory of 3068	1476	tmp.exe	100
PID 1476 wrote to memory of 3068	1476	tmp.exe	100
PID 1476 wrote to memory of 3952	1476	tmp.exe	101
PID 1476 wrote to memory of 3952	1476	tmp.exe	101
PID 1476 wrote to memory of 208	1476	tmp.exe	102
PID 1476 wrote to memory of 208	1476	tmp.exe	102
PID 1476 wrote to memory of 220	1476	tmp.exe	103
PID 1476 wrote to memory of 220	1476	tmp.exe	103
PID 1476 wrote to memory of 228	1476	tmp.exe	104
PID 1476 wrote to memory of 228	1476	tmp.exe	104
PID 1476 wrote to memory of 100	1476	tmp.exe	105
PID 1476 wrote to memory of 100	1476	tmp.exe	105
PID 1476 wrote to memory of 4440	1476	tmp.exe	106
PID 1476 wrote to memory of 4440	1476	tmp.exe	106
PID 1476 wrote to memory of 2976	1476	tmp.exe	107
PID 1476 wrote to memory of 2976	1476	tmp.exe	107
PID 1476 wrote to memory of 2976	1476	tmp.exe	107
PID 1476 wrote to memory of 3912	1476	tmp.exe	108
PID 1476 wrote to memory of 3912	1476	tmp.exe	108
PID 1476 wrote to memory of 4084	1476	tmp.exe	109
PID 1476 wrote to memory of 4084	1476	tmp.exe	109
PID 1476 wrote to memory of 4760	1476	tmp.exe	110
PID 1476 wrote to memory of 4760	1476	tmp.exe	110
PID 1476 wrote to memory of 4764	1476	tmp.exe	111
PID 1476 wrote to memory of 4764	1476	tmp.exe	111
PID 1476 wrote to memory of 4796	1476	tmp.exe	112
PID 1476 wrote to memory of 4796	1476	tmp.exe	112
PID 1476 wrote to memory of 4772	1476	tmp.exe	113
PID 1476 wrote to memory of 4772	1476	tmp.exe	113
PID 1476 wrote to memory of 4748	1476	tmp.exe	114
PID 1476 wrote to memory of 4748	1476	tmp.exe	114
PID 1476 wrote to memory of 3140	1476	tmp.exe	115
PID 1476 wrote to memory of 3140	1476	tmp.exe	115
PID 1476 wrote to memory of 4704	1476	tmp.exe	116
PID 1476 wrote to memory of 4704	1476	tmp.exe	116

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:4580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:4236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:1004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:5092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:3312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:4516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:1488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:3952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
  2⤵
  PID:228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:4440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:3912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:4084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:4796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:4772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:4748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:3140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1476-133-0x000001F97DD60000-0x000001F97DE2E000-memory.dmp

Filesize
824KB

Download
memory/1476-134-0x000001F9191C0000-0x000001F9191D0000-memory.dmp

Filesize
64KB

Download