0d5b423fdb36b35af689c4032b4911d39267afa978e006ff2272441ea91d082d

Analysis

max time kernel
144s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 18:01 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

57.4MB
MD5

19263420e7ff10b65f0677a2ec621c7e
SHA1

57542d9dfca7b87359ed8b8b1bcb393cd4ff54a1
SHA256

0d5b423fdb36b35af689c4032b4911d39267afa978e006ff2272441ea91d082d
SHA512

e899074d8b41d47680fee174fac36632dd1a18650728682fc528b005e9e1d34ecf92ae154970da9772259100c1b3f6eaa92db9777ff42b2da0dfb84d2f0443ef
SSDEEP

393216:uirSIUJHFC2b5mXKQ/kb/psajPaoGiOuBk8K0fUAjMsKMWm3gXvLhbMb7o3a9Cc1:uj1CXF092XvCYuCcwTpH43pb

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4064	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4064	tasklist.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2244	2936	sample.exe	85
PID 2936 wrote to memory of 2244	2936	sample.exe	85
PID 2244 wrote to memory of 4064	2244	cmd.exe	86
PID 2244 wrote to memory of 4064	2244	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4064

Network

DNS

123.108.74.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.108.74.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

sample.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.111.133
DNS

210.81.184.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.81.184.52.in-addr.arpa

IN PTR

Response
DNS

133.108.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.108.199.185.in-addr.arpa

IN PTR

Response

133.108.199.185.in-addr.arpa

IN PTR

cdn-185-199-108-133githubcom
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

64.13.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.13.109.52.in-addr.arpa

IN PTR

Response
DNS

97.238.32.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.238.32.23.in-addr.arpa

IN PTR

Response

97.238.32.23.in-addr.arpa

IN PTR

a23-32-238-97deploystaticakamaitechnologiescom
DNS

108.211.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.211.229.192.in-addr.arpa

IN PTR

Response

185.199.108.133:443

raw.githubusercontent.com

tls

sample.exe

1.5kB
40.0kB
20
34
13.78.111.198:443

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
173.223.113.164:443

322 B
7

8.8.8.8:53

123.108.74.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

123.108.74.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

sample.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.108.133

185.199.109.133

185.199.110.133

185.199.111.133
8.8.8.8:53

210.81.184.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

210.81.184.52.in-addr.arpa
8.8.8.8:53

133.108.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.108.199.185.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

64.13.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

64.13.109.52.in-addr.arpa
8.8.8.8:53

97.238.32.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

97.238.32.23.in-addr.arpa
8.8.8.8:53

108.211.229.192.in-addr.arpa

dns

74 B
145 B
1
1

DNS Request

108.211.229.192.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Windows 7 deprecation

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.