29339458f4a33ee922f25d36b83f19797a15a279634e9c44ebd3816866a541cb

General

Target

InstallerFilex_64.exe
Size

3.1MB
MD5

78462baf56c10c4a1aee9dd38eb37bdc
SHA1

e166b85e91ea4fcd66f0400d9f022bc437eac11e
SHA256

29339458f4a33ee922f25d36b83f19797a15a279634e9c44ebd3816866a541cb
SHA512

30d9d7df428efc54cbc6455fe0ec546a14330964d1fecd393d5b54002dc6e219f528c8e27a3cc514c4ff5bdbb8d3b006aac12a508b65e215dbfcbd69143f25a8
SSDEEP

49152:k2vK4D+psO1DSBvHSmL1Xdf5k6N21D5Mgwp1haASvh6k1S80:kotD4sKYvSmRVSQ80

Score

1^/10

Malware Config

Signatures

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

100 systeminfo.exe

pid	process
100	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2528	WMIC.exe
Token: SeSecurityPrivilege	2528	WMIC.exe
Token: SeTakeOwnershipPrivilege	2528	WMIC.exe
Token: SeLoadDriverPrivilege	2528	WMIC.exe
Token: SeSystemProfilePrivilege	2528	WMIC.exe
Token: SeSystemtimePrivilege	2528	WMIC.exe
Token: SeProfSingleProcessPrivilege	2528	WMIC.exe
Token: SeIncBasePriorityPrivilege	2528	WMIC.exe
Token: SeCreatePagefilePrivilege	2528	WMIC.exe
Token: SeBackupPrivilege	2528	WMIC.exe
Token: SeRestorePrivilege	2528	WMIC.exe
Token: SeShutdownPrivilege	2528	WMIC.exe
Token: SeDebugPrivilege	2528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2528	WMIC.exe
Token: SeRemoteShutdownPrivilege	2528	WMIC.exe
Token: SeUndockPrivilege	2528	WMIC.exe
Token: SeManageVolumePrivilege	2528	WMIC.exe
Token: 33	2528	WMIC.exe
Token: 34	2528	WMIC.exe
Token: 35	2528	WMIC.exe
Token: 36	2528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2528	WMIC.exe
Token: SeSecurityPrivilege	2528	WMIC.exe
Token: SeTakeOwnershipPrivilege	2528	WMIC.exe
Token: SeLoadDriverPrivilege	2528	WMIC.exe
Token: SeSystemProfilePrivilege	2528	WMIC.exe
Token: SeSystemtimePrivilege	2528	WMIC.exe
Token: SeProfSingleProcessPrivilege	2528	WMIC.exe
Token: SeIncBasePriorityPrivilege	2528	WMIC.exe
Token: SeCreatePagefilePrivilege	2528	WMIC.exe
Token: SeBackupPrivilege	2528	WMIC.exe
Token: SeRestorePrivilege	2528	WMIC.exe
Token: SeShutdownPrivilege	2528	WMIC.exe
Token: SeDebugPrivilege	2528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2528	WMIC.exe
Token: SeRemoteShutdownPrivilege	2528	WMIC.exe
Token: SeUndockPrivilege	2528	WMIC.exe
Token: SeManageVolumePrivilege	2528	WMIC.exe
Token: 33	2528	WMIC.exe
Token: 34	2528	WMIC.exe
Token: 35	2528	WMIC.exe
Token: 36	2528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1992	wmic.exe
Token: SeSecurityPrivilege	1992	wmic.exe
Token: SeTakeOwnershipPrivilege	1992	wmic.exe
Token: SeLoadDriverPrivilege	1992	wmic.exe
Token: SeSystemProfilePrivilege	1992	wmic.exe
Token: SeSystemtimePrivilege	1992	wmic.exe
Token: SeProfSingleProcessPrivilege	1992	wmic.exe
Token: SeIncBasePriorityPrivilege	1992	wmic.exe
Token: SeCreatePagefilePrivilege	1992	wmic.exe
Token: SeBackupPrivilege	1992	wmic.exe
Token: SeRestorePrivilege	1992	wmic.exe
Token: SeShutdownPrivilege	1992	wmic.exe
Token: SeDebugPrivilege	1992	wmic.exe
Token: SeSystemEnvironmentPrivilege	1992	wmic.exe
Token: SeRemoteShutdownPrivilege	1992	wmic.exe
Token: SeUndockPrivilege	1992	wmic.exe
Token: SeManageVolumePrivilege	1992	wmic.exe
Token: 33	1992	wmic.exe
Token: 34	1992	wmic.exe
Token: 35	1992	wmic.exe
Token: 36	1992	wmic.exe
Token: SeIncreaseQuotaPrivilege	1992	wmic.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

InstallerFilex_64.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1224 wrote to memory of 4476	1224	InstallerFilex_64.exe	cmd.exe
PID 1224 wrote to memory of 4476	1224	InstallerFilex_64.exe	cmd.exe
PID 1224 wrote to memory of 4476	1224	InstallerFilex_64.exe	cmd.exe
PID 4476 wrote to memory of 2528	4476	cmd.exe	WMIC.exe
PID 4476 wrote to memory of 2528	4476	cmd.exe	WMIC.exe
PID 4476 wrote to memory of 2528	4476	cmd.exe	WMIC.exe
PID 1224 wrote to memory of 1992	1224	InstallerFilex_64.exe	wmic.exe
PID 1224 wrote to memory of 1992	1224	InstallerFilex_64.exe	wmic.exe
PID 1224 wrote to memory of 1992	1224	InstallerFilex_64.exe	wmic.exe
PID 1224 wrote to memory of 4212	1224	InstallerFilex_64.exe	cmd.exe
PID 1224 wrote to memory of 4212	1224	InstallerFilex_64.exe	cmd.exe
PID 1224 wrote to memory of 4212	1224	InstallerFilex_64.exe	cmd.exe
PID 4212 wrote to memory of 1712	4212	cmd.exe	WMIC.exe
PID 4212 wrote to memory of 1712	4212	cmd.exe	WMIC.exe
PID 4212 wrote to memory of 1712	4212	cmd.exe	WMIC.exe
PID 1224 wrote to memory of 3936	1224	InstallerFilex_64.exe	cmd.exe
PID 1224 wrote to memory of 3936	1224	InstallerFilex_64.exe	cmd.exe
PID 1224 wrote to memory of 3936	1224	InstallerFilex_64.exe	cmd.exe
PID 3936 wrote to memory of 4044	3936	cmd.exe	WMIC.exe
PID 3936 wrote to memory of 4044	3936	cmd.exe	WMIC.exe
PID 3936 wrote to memory of 4044	3936	cmd.exe	WMIC.exe
PID 1224 wrote to memory of 776	1224	InstallerFilex_64.exe	cmd.exe
PID 1224 wrote to memory of 776	1224	InstallerFilex_64.exe	cmd.exe
PID 1224 wrote to memory of 776	1224	InstallerFilex_64.exe	cmd.exe
PID 776 wrote to memory of 100	776	cmd.exe	systeminfo.exe
PID 776 wrote to memory of 100	776	cmd.exe	systeminfo.exe
PID 776 wrote to memory of 100	776	cmd.exe	systeminfo.exe

C:\Users\Admin\AppData\Local\Temp\InstallerFilex_64.exe
"C:\Users\Admin\AppData\Local\Temp\InstallerFilex_64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
cmd "/c " systeminfo
2⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads