4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

General

Target

4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe
Size

3.1MB
MD5

64e554cd95971c4a00ae1f6677331cce
SHA1

d7189c4afd0bfbdf12323917434dcfdd55e8b300
SHA256

4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3
SHA512

4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074
SSDEEP

49152:OyzYMPq8q0IXEt0OS8p1Rdf5k6N21D5MGYD9IzaoSLS6k1h+LW:Oo9S8fsKFS8HqSa+LW

Score

1^/10

Malware Config

Signatures

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2300 systeminfo.exe

pid	process
2300	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe
Token: 35	3904	WMIC.exe
Token: 36	3904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe
Token: 35	3904	WMIC.exe
Token: 36	3904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3324	wmic.exe
Token: SeSecurityPrivilege	3324	wmic.exe
Token: SeTakeOwnershipPrivilege	3324	wmic.exe
Token: SeLoadDriverPrivilege	3324	wmic.exe
Token: SeSystemProfilePrivilege	3324	wmic.exe
Token: SeSystemtimePrivilege	3324	wmic.exe
Token: SeProfSingleProcessPrivilege	3324	wmic.exe
Token: SeIncBasePriorityPrivilege	3324	wmic.exe
Token: SeCreatePagefilePrivilege	3324	wmic.exe
Token: SeBackupPrivilege	3324	wmic.exe
Token: SeRestorePrivilege	3324	wmic.exe
Token: SeShutdownPrivilege	3324	wmic.exe
Token: SeDebugPrivilege	3324	wmic.exe
Token: SeSystemEnvironmentPrivilege	3324	wmic.exe
Token: SeRemoteShutdownPrivilege	3324	wmic.exe
Token: SeUndockPrivilege	3324	wmic.exe
Token: SeManageVolumePrivilege	3324	wmic.exe
Token: 33	3324	wmic.exe
Token: 34	3324	wmic.exe
Token: 35	3324	wmic.exe
Token: 36	3324	wmic.exe
Token: SeIncreaseQuotaPrivilege	3324	wmic.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1804 wrote to memory of 2404	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 1804 wrote to memory of 2404	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 1804 wrote to memory of 2404	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 2404 wrote to memory of 3904	2404	cmd.exe	WMIC.exe
PID 2404 wrote to memory of 3904	2404	cmd.exe	WMIC.exe
PID 2404 wrote to memory of 3904	2404	cmd.exe	WMIC.exe
PID 1804 wrote to memory of 3324	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	wmic.exe
PID 1804 wrote to memory of 3324	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	wmic.exe
PID 1804 wrote to memory of 3324	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	wmic.exe
PID 1804 wrote to memory of 3608	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 1804 wrote to memory of 3608	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 1804 wrote to memory of 3608	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 3608 wrote to memory of 3416	3608	cmd.exe	WMIC.exe
PID 3608 wrote to memory of 3416	3608	cmd.exe	WMIC.exe
PID 3608 wrote to memory of 3416	3608	cmd.exe	WMIC.exe
PID 1804 wrote to memory of 1480	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 1804 wrote to memory of 1480	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 1804 wrote to memory of 1480	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 1480 wrote to memory of 3332	1480	cmd.exe	WMIC.exe
PID 1480 wrote to memory of 3332	1480	cmd.exe	WMIC.exe
PID 1480 wrote to memory of 3332	1480	cmd.exe	WMIC.exe
PID 1804 wrote to memory of 1996	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 1804 wrote to memory of 1996	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 1804 wrote to memory of 1996	1804	4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe	cmd.exe
PID 1996 wrote to memory of 2300	1996	cmd.exe	systeminfo.exe
PID 1996 wrote to memory of 2300	1996	cmd.exe	systeminfo.exe
PID 1996 wrote to memory of 2300	1996	cmd.exe	systeminfo.exe

C:\Users\Admin\AppData\Local\Temp\4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe
"C:\Users\Admin\AppData\Local\Temp\4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
cmd "/c " systeminfo
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads