15800787860c1e735ad6b5f2a1b0915b1e3dc1b63264eb5c8af4a1386d5a2e07 | Triage

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 17:07

Sharing

Report Analysis Logs

General

Target

bNnX.exe
Size

32KB
MD5

144fc1ec9c05433ae3a5e9d6543f1cbf
SHA1

2a2c04871b40ab7d51edf23911a3d6f16698efef
SHA256

15800787860c1e735ad6b5f2a1b0915b1e3dc1b63264eb5c8af4a1386d5a2e07
SHA512

70162e242ee550d6ba04f10d782c7e97660feb81f199971b9770c6811a954c6aeb93aa8f9256cb1d236e0d9ddc580d86859c77a0e019e911188fbf5fd7e6f614
SSDEEP

384:n0bUe5XB4e0XmOnPw0Q0mS03AWTxtTUFQqzFcObbZ:sT9Bu1I55dWbZ

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bNnX.exe

description pid process

Token: SeDebugPrivilege 4812 bNnX.exe
Token: 33 4812 bNnX.exe
Token: SeIncBasePriorityPrivilege 4812 bNnX.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

bNnX.exe

description	pid	process	target process
PID 4812 wrote to memory of 3424	4812	bNnX.exe	cmd.exe
PID 4812 wrote to memory of 3424	4812	bNnX.exe	cmd.exe
PID 4812 wrote to memory of 3424	4812	bNnX.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\bNnX.exe
"C:\Users\Admin\AppData\Local\Temp\bNnX.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\bNnX.exe"
  2⤵
  PID:3424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4812-133-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4812-134-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4812-135-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download