1b341517ba93e00b0ba9ac83a36ab33cf549aebe05f1ff19485d3a618139a267

Analysis

max time kernel
82s
max time network
82s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/05/2023, 16:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

jordanmemouse.exe
Size

49KB
MD5

315217e77d8f87e9134eccb6bb47fbb3
SHA1

80622e62417fae7ea5998516cf33600cebf091a6
SHA256

1b341517ba93e00b0ba9ac83a36ab33cf549aebe05f1ff19485d3a618139a267
SHA512

8137ad4cbc18a23fe27e1b9d4128f97b53d8315e7b1c6127a431c3bfce408bb21e6e1b26b13272ba50c761e12cdab2d1f685223704ccb94e53ae198150eb3a39
SSDEEP

768:ZE4F8QiIIfd12vOgZQKyHUt8p+00x3CypoUxr:NF8QdI/2WgZsG+C3dpL

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1608	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1608	AUDIODG.EXE
Token: 33	1608	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1608	AUDIODG.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1108	1208	jordanmemouse.exe	28
PID 1208 wrote to memory of 1108	1208	jordanmemouse.exe	28
PID 1208 wrote to memory of 1108	1208	jordanmemouse.exe	28
PID 1108 wrote to memory of 1160	1108	cmd.exe	30
PID 1108 wrote to memory of 1160	1108	cmd.exe	30
PID 1108 wrote to memory of 1160	1108	cmd.exe	30
PID 1160 wrote to memory of 580	1160	net.exe	31
PID 1160 wrote to memory of 580	1160	net.exe	31
PID 1160 wrote to memory of 580	1160	net.exe	31
PID 1108 wrote to memory of 804	1108	cmd.exe	32
PID 1108 wrote to memory of 804	1108	cmd.exe	32
PID 1108 wrote to memory of 804	1108	cmd.exe	32
PID 1108 wrote to memory of 1532	1108	cmd.exe	33
PID 1108 wrote to memory of 1532	1108	cmd.exe	33
PID 1108 wrote to memory of 1532	1108	cmd.exe	33
PID 1532 wrote to memory of 688	1532	net.exe	34
PID 1532 wrote to memory of 688	1532	net.exe	34
PID 1532 wrote to memory of 688	1532	net.exe	34

C:\Users\Admin\AppData\Local\Temp\jordanmemouse.exe
"C:\Users\Admin\AppData\Local\Temp\jordanmemouse.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\system32\net.exe
    net user Admin *
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin *
      4⤵
      PID:580
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:804
- - C:\Windows\system32\net.exe
    net user Admin *
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin *
      4⤵
      PID:688

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1556

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
2KB

MD5
c0861b940da6f4b519f81d2b8b68cc2f

SHA1
c52600aec785601cf5e092485ad76ae4bf80c36a

SHA256
a4afeecdca6fcbac794f1d5c1d8215dc0e9c1950bd8a32a765aaac037a3c5ccc

SHA512
d433d53643637adaa9a54e5dda3b59fc11f8eb76f878308ec80a60703d62a4641748b5623f6e84827d5a2efe6652468e00d7a97af1e315b77da95b54e6890377

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
2KB

MD5
c0861b940da6f4b519f81d2b8b68cc2f

SHA1
c52600aec785601cf5e092485ad76ae4bf80c36a

SHA256
a4afeecdca6fcbac794f1d5c1d8215dc0e9c1950bd8a32a765aaac037a3c5ccc

SHA512
d433d53643637adaa9a54e5dda3b59fc11f8eb76f878308ec80a60703d62a4641748b5623f6e84827d5a2efe6652468e00d7a97af1e315b77da95b54e6890377

Download Submit
memory/764-68-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1208-54-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/1556-67-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download