52b0c7ba7b68715c8395e51206038b134df91ff61fea0cfeaeed1f500fef5531

Analysis

max time kernel
74s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bock/6rdchb.exe
Size

6.1MB
MD5

43d1bfe3d7998a15b3f315493281336e
SHA1

8bce78b3e120f8e96e0e896f04e77d64291a1d39
SHA256

27e8311a78358fac78a90f16012fb37e44ba7a57243346aefad8ca6e069b8d60
SHA512

67b355dddc9a5bd91ade586b369145475e13a5125a07bc1bc70067b08a9dd2b1c57ab2505c56151f70b54b6d4139354604f0fc1b66729245da3989c773bada71
SSDEEP

49152:6Bf8QvuxNDfrb/TAvO90d7HjmAFd4A64nsfJLppiGr6KsUKfnNo2l15AoBfVB5uK:vNtQNXL4N63ENr

Score

1^/10

Malware Config

Signatures

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4008	ipconfig.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1
HTTP User-Agent header	6	Go-http-client/1.1

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	whoami.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 4436	4388	6rdchb.exe	83
PID 4388 wrote to memory of 4436	4388	6rdchb.exe	83
PID 4388 wrote to memory of 1388	4388	6rdchb.exe	85
PID 4388 wrote to memory of 1388	4388	6rdchb.exe	85
PID 4388 wrote to memory of 4008	4388	6rdchb.exe	87
PID 4388 wrote to memory of 4008	4388	6rdchb.exe	87

C:\Users\Admin\AppData\Local\Temp\bock\6rdchb.exe
"C:\Users\Admin\AppData\Local\Temp\bock\6rdchb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\system32\hostname.exe
  hostname
  2⤵
  PID:4436
- C:\Windows\system32\whoami.exe
  whoami
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...