72c937a5a0cf31e0a05552208e1cafffeb84d740833c903cf831e33c7504b6ea

Analysis

max time kernel
117s
max time network
152s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/07/2023, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

666f0565a76217_JC.exe
Size

524KB
MD5

666f0565a76217a4de639d7cc4d76d7f
SHA1

1fbb63994851f816a0f7d93b2e8c7a5d14ec080a
SHA256

72c937a5a0cf31e0a05552208e1cafffeb84d740833c903cf831e33c7504b6ea
SHA512

12c32c07d91aa4f5e7dfd5c9f140c59eb57896f65a99fa6b488a814b63cdf31c2c2000c4bf0aab3d22da0a0c43ae2523330b91e340b75cb4f7374345086859d6
SSDEEP

6144:Z+0m8kZHU0bdLzTImb9C5u1wWxclQMgM8xn0AUh2q/+Kmy/v0ng:7m8H0bdL3Imb9efQMgMkYH+Kmo

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1704	attrib.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1456	666f0565a76217_JC.exe
1456	666f0565a76217_JC.exe
1456	666f0565a76217_JC.exe
1456	666f0565a76217_JC.exe
1456	666f0565a76217_JC.exe
1456	666f0565a76217_JC.exe
1456	666f0565a76217_JC.exe
1456	666f0565a76217_JC.exe
1456	666f0565a76217_JC.exe
1456	666f0565a76217_JC.exe
1456	666f0565a76217_JC.exe
1456	666f0565a76217_JC.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1456	666f0565a76217_JC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	666f0565a76217_JC.exe
Token: SeDebugPrivilege	1456	666f0565a76217_JC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1456	666f0565a76217_JC.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2904	1456	666f0565a76217_JC.exe	28
PID 1456 wrote to memory of 2904	1456	666f0565a76217_JC.exe	28
PID 1456 wrote to memory of 2904	1456	666f0565a76217_JC.exe	28
PID 1456 wrote to memory of 2904	1456	666f0565a76217_JC.exe	28
PID 2904 wrote to memory of 2932	2904	cmd.exe	30
PID 2904 wrote to memory of 2932	2904	cmd.exe	30
PID 2904 wrote to memory of 2932	2904	cmd.exe	30
PID 2904 wrote to memory of 2932	2904	cmd.exe	30
PID 2904 wrote to memory of 2896	2904	cmd.exe	32
PID 2904 wrote to memory of 2896	2904	cmd.exe	32
PID 2904 wrote to memory of 2896	2904	cmd.exe	32
PID 2904 wrote to memory of 2896	2904	cmd.exe	32
PID 2896 wrote to memory of 2832	2896	cmd.exe	33
PID 2896 wrote to memory of 2832	2896	cmd.exe	33
PID 2896 wrote to memory of 2832	2896	cmd.exe	33
PID 2896 wrote to memory of 2832	2896	cmd.exe	33
PID 1456 wrote to memory of 3028	1456	666f0565a76217_JC.exe	34
PID 1456 wrote to memory of 3028	1456	666f0565a76217_JC.exe	34
PID 1456 wrote to memory of 3028	1456	666f0565a76217_JC.exe	34
PID 1456 wrote to memory of 3028	1456	666f0565a76217_JC.exe	34
PID 3028 wrote to memory of 2792	3028	cmd.exe	36
PID 3028 wrote to memory of 2792	3028	cmd.exe	36
PID 3028 wrote to memory of 2792	3028	cmd.exe	36
PID 3028 wrote to memory of 2792	3028	cmd.exe	36
PID 3028 wrote to memory of 1704	3028	cmd.exe	37
PID 3028 wrote to memory of 1704	3028	cmd.exe	37
PID 3028 wrote to memory of 1704	3028	cmd.exe	37
PID 3028 wrote to memory of 1704	3028	cmd.exe	37

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\666f0565a76217_JC.exe
"C:\Users\Admin\AppData\Local\Temp\666f0565a76217_JC.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\1122.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\mode.com
    mode con cols=15 lines=3
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1122.bat p
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\mode.com
      mode con cols=15 lines=3
      4⤵
      PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\1133.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\mode.com
    mode con cols=15 lines=3
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +a +h +r "C:\test"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1122.bat

Filesize
197B

MD5
b4292e00eff53ec1da95e7225285e779

SHA1
695289b0ffaa5ee7b4084304c976045806687ddd

SHA256
dc4a1e18e67015e250c8bd71dcbce8d2234e73219b7dfcf8fd13d0733e4c2030

SHA512
00dc64420d7b8fda21873e4dfe9ec5fc0aec15a296385ca801641f6a8894692f6aeada71445ef54330f1acf4be6ab436e4ad99f24933e844baa6055efd02f1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1122.bat

Filesize
197B

MD5
b4292e00eff53ec1da95e7225285e779

SHA1
695289b0ffaa5ee7b4084304c976045806687ddd

SHA256
dc4a1e18e67015e250c8bd71dcbce8d2234e73219b7dfcf8fd13d0733e4c2030

SHA512
00dc64420d7b8fda21873e4dfe9ec5fc0aec15a296385ca801641f6a8894692f6aeada71445ef54330f1acf4be6ab436e4ad99f24933e844baa6055efd02f1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1133.bat

Filesize
146B

MD5
d61001211982ac769bbb185be1950976

SHA1
c856d74768d978bed799edfc07819fc28ba8f604

SHA256
03d8643c798c6d1f7c25e3dde6f9a3cb17015295456e099af2681b4ba7895b27

SHA512
7080a7d2c54d927960d42063eeea3514ada396c680108d3345660b69149daa446c38848f64138ec075cc7bc9c39112147fabda3fdd7826e763e1b6d1b87f23f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1133.bat

Filesize
146B

MD5
d61001211982ac769bbb185be1950976

SHA1
c856d74768d978bed799edfc07819fc28ba8f604

SHA256
03d8643c798c6d1f7c25e3dde6f9a3cb17015295456e099af2681b4ba7895b27

SHA512
7080a7d2c54d927960d42063eeea3514ada396c680108d3345660b69149daa446c38848f64138ec075cc7bc9c39112147fabda3fdd7826e763e1b6d1b87f23f1

Download Submit
memory/1456-54-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/1456-71-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download