96715e2703f139b4439b8321dcd1f5e28ac8370a9999b7ca9fe2c25a5927e210

Analysis

max time kernel
140s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2023, 13:55

Target

Kangaroo.exe
Size

311KB
MD5

dd75215aaa73ee8db3075dbcff4b5840
SHA1

039ac9af2d590d787de45d9a650a1a08a304f847
SHA256

96715e2703f139b4439b8321dcd1f5e28ac8370a9999b7ca9fe2c25a5927e210
SHA512

eba9267297a457b440f988cd8123733e70aca7675cc22812bf69cdf6335f5ef72ccab9653086e6c1cd71936bae26e970133ba2eca260900b3bc8d75150ad479a
SSDEEP

6144:SoWnKyjWo7gB8eOCJG3FGJljXdQprzvEXaAMw0YYaZB6gkipk3mmw0OKgg80OKgp:SoWKsWR8FCw3wjXdQpv6aAMpQZtxTSg/

Score

6^/10

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	Kangaroo.exe

C:\Users\Admin\AppData\Local\Temp\Kangaroo.exe
"C:\Users\Admin\AppData\Local\Temp\Kangaroo.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

memory/3992-133-0x0000000000900000-0x0000000000954000-memory.dmp

Filesize
336KB

Download
memory/3992-134-0x0000000005830000-0x0000000005DD4000-memory.dmp

Filesize
5.6MB

Download
memory/3992-135-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/3992-136-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/3992-137-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/3992-138-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/3992-139-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/3992-140-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download