782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b

Analysis

max time kernel
52s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2023 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe
Size

7.9MB
MD5

700e57847516d1f3e4ebf02e015e9f8d
SHA1

91c40d84f14bfc7715b0462bc73b87ee5f9d389a
SHA256

782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b
SHA512

f288f959bcc88df5eea19c3a9eed683ef3f4e6f30202a19414e6d0ca749579efad095bf3cc20166fa5d68ad6723df83c4ec54cb2f588d8f0fc2d73cbd0cd9579
SSDEEP

49152:I/z03gl6f7sil5rb/T6vO90d7HjmAFd4A64nsfJjyml8N3gS4eDSdMllsLXGEThd:fzfLKDSEgNs357qUNA7JkEQrb3

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
6	api.ipify.org
8	api.ipify.org

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4908	wmic.exe
Token: SeSecurityPrivilege	4908	wmic.exe
Token: SeTakeOwnershipPrivilege	4908	wmic.exe
Token: SeLoadDriverPrivilege	4908	wmic.exe
Token: SeSystemProfilePrivilege	4908	wmic.exe
Token: SeSystemtimePrivilege	4908	wmic.exe
Token: SeProfSingleProcessPrivilege	4908	wmic.exe
Token: SeIncBasePriorityPrivilege	4908	wmic.exe
Token: SeCreatePagefilePrivilege	4908	wmic.exe
Token: SeBackupPrivilege	4908	wmic.exe
Token: SeRestorePrivilege	4908	wmic.exe
Token: SeShutdownPrivilege	4908	wmic.exe
Token: SeDebugPrivilege	4908	wmic.exe
Token: SeSystemEnvironmentPrivilege	4908	wmic.exe
Token: SeRemoteShutdownPrivilege	4908	wmic.exe
Token: SeUndockPrivilege	4908	wmic.exe
Token: SeManageVolumePrivilege	4908	wmic.exe
Token: 33	4908	wmic.exe
Token: 34	4908	wmic.exe
Token: 35	4908	wmic.exe
Token: 36	4908	wmic.exe
Token: SeIncreaseQuotaPrivilege	4908	wmic.exe
Token: SeSecurityPrivilege	4908	wmic.exe
Token: SeTakeOwnershipPrivilege	4908	wmic.exe
Token: SeLoadDriverPrivilege	4908	wmic.exe
Token: SeSystemProfilePrivilege	4908	wmic.exe
Token: SeSystemtimePrivilege	4908	wmic.exe
Token: SeProfSingleProcessPrivilege	4908	wmic.exe
Token: SeIncBasePriorityPrivilege	4908	wmic.exe
Token: SeCreatePagefilePrivilege	4908	wmic.exe
Token: SeBackupPrivilege	4908	wmic.exe
Token: SeRestorePrivilege	4908	wmic.exe
Token: SeShutdownPrivilege	4908	wmic.exe
Token: SeDebugPrivilege	4908	wmic.exe
Token: SeSystemEnvironmentPrivilege	4908	wmic.exe
Token: SeRemoteShutdownPrivilege	4908	wmic.exe
Token: SeUndockPrivilege	4908	wmic.exe
Token: SeManageVolumePrivilege	4908	wmic.exe
Token: 33	4908	wmic.exe
Token: 34	4908	wmic.exe
Token: 35	4908	wmic.exe
Token: 36	4908	wmic.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 4564	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	84
PID 740 wrote to memory of 4564	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	84
PID 740 wrote to memory of 2508	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	85
PID 740 wrote to memory of 2508	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	85
PID 740 wrote to memory of 4388	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	86
PID 740 wrote to memory of 4388	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	86
PID 740 wrote to memory of 4224	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	87
PID 740 wrote to memory of 4224	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	87
PID 740 wrote to memory of 832	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	88
PID 740 wrote to memory of 832	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	88
PID 740 wrote to memory of 4908	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	90
PID 740 wrote to memory of 4908	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	90
PID 740 wrote to memory of 1620	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	91
PID 740 wrote to memory of 1620	740	782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe	91

C:\Users\Admin\AppData\Local\Temp\782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe
"C:\Users\Admin\AppData\Local\Temp\782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\system32\curl.exe
  curl ipinfo.io/country
  2⤵
  PID:4564
- C:\Windows\system32\curl.exe
  curl ipinfo.io/country
  2⤵
  PID:2508
- C:\Windows\system32\curl.exe
  curl ipinfo.io/country
  2⤵
  PID:4388
- C:\Windows\system32\curl.exe
  curl ipinfo.io/country
  2⤵
  PID:4224
- C:\Windows\system32\runas.exe
  runas /user:Administrator C:\Users\Admin\AppData\Local\Temp\782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b.exe
  2⤵
  PID:832
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\system32\curl.exe
  curl api.ipify.org
  2⤵
  PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads