c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643

Analysis

max time kernel
158s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2023 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.exe
Size

3.7MB
MD5

b396c05b6498e8b1ad74e085e091cefe
SHA1

5c076f327b69014f4f320716cbe92d6387afec10
SHA256

c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643
SHA512

d00b68d8ce896c399e27f2760e8a03b4d0cbd3fab66f27da8fef733e0f12bb14cdb7ab4393574ead76b0d9ad434e6c446a9865fdd8e73106978ca455aebe2b4e
SSDEEP

98304:tiTy7kki9G2CID3+czO5Zj4cU6MuD4GzDq7xiTVh:tB4X9Gu+cziBsM4Gyli5h

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2316	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp
4948	Dism++x64.exe

Loads dropped DLL 1 IoCs

pid	Process
4948	Dism++x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\unins000.dat	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp
File created	C:\Windows\is-SNG8B.tmp	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp
File opened for modification	C:\Windows\is-SNG8B.tmp	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp
File opened for modification	C:\Windows\unins000.dat	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp
2316	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	4948	Dism++x64.exe
Token: SeRestorePrivilege	4948	Dism++x64.exe
Token: SeSecurityPrivilege	4948	Dism++x64.exe
Token: 35	4948	Dism++x64.exe
Token: SeLoadDriverPrivilege	4948	Dism++x64.exe
Token: SeBackupPrivilege	4948	Dism++x64.exe
Token: SeRestorePrivilege	4948	Dism++x64.exe
Token: SeShutdownPrivilege	4948	Dism++x64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2316	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 2316	8	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.exe	84
PID 8 wrote to memory of 2316	8	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.exe	84
PID 8 wrote to memory of 2316	8	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.exe	84
PID 2316 wrote to memory of 4948	2316	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp	85
PID 2316 wrote to memory of 4948	2316	c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp	85

C:\Users\Admin\AppData\Local\Temp\c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.exe
"C:\Users\Admin\AppData\Local\Temp\c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Local\Temp\is-C31KK.tmp\c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-C31KK.tmp\c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp" /SL5="$401C4,2999487,770048,C:\Users\Admin\AppData\Local\Temp\c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\is-PLVC4.tmp\Dism++x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-PLVC4.tmp\Dism++x64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-C31KK.tmp\c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp

Filesize
3.0MB

MD5
a4a7755ff7e10d6338f33a036d6070c6

SHA1
2caf7457cd8e611a0fac5d551e4d812422d9f60d

SHA256
18c606267d7cd70a277dd13e38c6c5d51fc33b3a355f27edda9f9775e80c04f7

SHA512
d43c8eff7d0e96c69c97de430e04300a68cf69757edafc5ee218bf265c243abea5d7718bc7a8320b4df6b5b11c5de45e7a2ad336f4ad1136e6f9148fbaf14d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C31KK.tmp\c108715774ce4e14b0360e53b4b43195a1c2f646802f00f75071a43bbbaa1643.tmp

Filesize
3.0MB

MD5
a4a7755ff7e10d6338f33a036d6070c6

SHA1
2caf7457cd8e611a0fac5d551e4d812422d9f60d

SHA256
18c606267d7cd70a277dd13e38c6c5d51fc33b3a355f27edda9f9775e80c04f7

SHA512
d43c8eff7d0e96c69c97de430e04300a68cf69757edafc5ee218bf265c243abea5d7718bc7a8320b4df6b5b11c5de45e7a2ad336f4ad1136e6f9148fbaf14d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLVC4.tmp\Config\Config.ini

Filesize
544B

MD5
dbc90babce4f3c3f249276e84d25c892

SHA1
597d4ab6eb8efec2b932cfc4fda5017d1e2d6a63

SHA256
49f737b2acedce34127b487edb732bacc24ee3b01297d86fd0c3f2d5c7e1aa09

SHA512
3a2e7dc8bb717d2d1bba33a4565a7a53a583fd7c0fa0e9cb228ba916b2211641200b117bc690556349d7373080286078520d128104071ac51b5ce8cadb46b98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLVC4.tmp\Config\Languages\zh-Hans.zip

Filesize
6KB

MD5
a4fa2b5a0f9bc8da19549442aaa0d62d

SHA1
b2a4970c4110e73d68c03d2dbfabd5a6262ce21b

SHA256
b6cfce094bf429022f08e22c8f93accac526ffb289eedc713a70b306c2b78a94

SHA512
07c8df35edcd18f02f71d102e790d0a1a7c0692e3157924dadcffd5de962701b37e824620c5ed4417490965c23a04a52818d6b4828175959edab919151e13a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLVC4.tmp\Config\UpdateInfo.zip

Filesize
8KB

MD5
ce5a03cff1e1240cabebf3782df68049

SHA1
390271f6b3b2f555cfba79a0b86ffc0aa22ce2e7

SHA256
df18474b0bfc7aed1766b8ad380236e1e163cf4f30b6ed901f9b9b971eb48dca

SHA512
aaf13e978f41e1128181a87cf8897b6fa53bbca6035b77ec15b6f4128167b44d98c15e500865b131353f0b488e701dbe781ac487b0236af8d859d4760c5fde43

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLVC4.tmp\Config\amd64\CBSHost.dll

Filesize
175KB

MD5
dd139df87a896b894335e03ece2973bf

SHA1
c6eb8a276897acc4e1f34dc25df138b2c30f7918

SHA256
6a1075f4fab4acd2722e8946cba7b23508d120367c84aae3e83284124227013a

SHA512
1a6296ab7411771e1fd8147086cbcade6f761e10b44975086fc03a0f058faaa0acef692b97a56f2ddad3f66241c0fb1b7d6d7e897888cb53f86a9734ceed5874

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLVC4.tmp\Config\amd64\CbsHost.Dll

Filesize
175KB

MD5
dd139df87a896b894335e03ece2973bf

SHA1
c6eb8a276897acc4e1f34dc25df138b2c30f7918

SHA256
6a1075f4fab4acd2722e8946cba7b23508d120367c84aae3e83284124227013a

SHA512
1a6296ab7411771e1fd8147086cbcade6f761e10b44975086fc03a0f058faaa0acef692b97a56f2ddad3f66241c0fb1b7d6d7e897888cb53f86a9734ceed5874

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLVC4.tmp\Config\amd64\wimgapi.dll

Filesize
754KB

MD5
80826a2374b051468ffbd6e85993137d

SHA1
d66082ee8d3478f6b606336fec00f9d748ab9427

SHA256
e51344884512b486ff1de3c30e554b0e1cb6ffb8ed4e3bdd31a29a76454f5562

SHA512
5c07620f08e77b1c82baa3f4685b730b3bd1fd324931f04a10d5593d0263da0f76311f2012b33a7a3c7200c1093dbec9e84dc724031b9231537e4362064a7284

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLVC4.tmp\Dism++x64.exe

Filesize
1.0MB

MD5
a1a058ff98dc1f9320195b398aa06167

SHA1
d974136e6dc4b1726b50a770ec8d6f0f4fc859a7

SHA256
16bbdb339173d25b4332b377da96e80809aabfe6739cf35d5e70484f08cfdc42

SHA512
8517354f8579905a5ff1b581aee79ac4632d83bf1672490b653caf5807e902745ae1df109083ea895ac63f0a106786390d5e769a220dc21af8f8a7a9585dddc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLVC4.tmp\Dism++x64.exe

Filesize
1.0MB

MD5
a1a058ff98dc1f9320195b398aa06167

SHA1
d974136e6dc4b1726b50a770ec8d6f0f4fc859a7

SHA256
16bbdb339173d25b4332b377da96e80809aabfe6739cf35d5e70484f08cfdc42

SHA512
8517354f8579905a5ff1b581aee79ac4632d83bf1672490b653caf5807e902745ae1df109083ea895ac63f0a106786390d5e769a220dc21af8f8a7a9585dddc8

Download Submit
memory/8-133-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/8-207-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2316-143-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2316-208-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download