Analysis
-
max time kernel
140s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2023, 11:03
Behavioral task
behavioral1
Sample
666f0565a76217_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
666f0565a76217_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
666f0565a76217_JC.exe
-
Size
524KB
-
MD5
666f0565a76217a4de639d7cc4d76d7f
-
SHA1
1fbb63994851f816a0f7d93b2e8c7a5d14ec080a
-
SHA256
72c937a5a0cf31e0a05552208e1cafffeb84d740833c903cf831e33c7504b6ea
-
SHA512
12c32c07d91aa4f5e7dfd5c9f140c59eb57896f65a99fa6b488a814b63cdf31c2c2000c4bf0aab3d22da0a0c43ae2523330b91e340b75cb4f7374345086859d6
-
SSDEEP
6144:Z+0m8kZHU0bdLzTImb9C5u1wWxclQMgM8xn0AUh2q/+Kmy/v0ng:7m8H0bdL3Imb9efQMgMkYH+Kmo
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2016 attrib.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe 1432 666f0565a76217_JC.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1432 666f0565a76217_JC.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1432 666f0565a76217_JC.exe Token: SeDebugPrivilege 1432 666f0565a76217_JC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1432 666f0565a76217_JC.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1432 wrote to memory of 2208 1432 666f0565a76217_JC.exe 84 PID 1432 wrote to memory of 2208 1432 666f0565a76217_JC.exe 84 PID 1432 wrote to memory of 2208 1432 666f0565a76217_JC.exe 84 PID 2208 wrote to memory of 4536 2208 cmd.exe 86 PID 2208 wrote to memory of 4536 2208 cmd.exe 86 PID 2208 wrote to memory of 4536 2208 cmd.exe 86 PID 2208 wrote to memory of 4964 2208 cmd.exe 87 PID 2208 wrote to memory of 4964 2208 cmd.exe 87 PID 2208 wrote to memory of 4964 2208 cmd.exe 87 PID 4964 wrote to memory of 3788 4964 cmd.exe 89 PID 4964 wrote to memory of 3788 4964 cmd.exe 89 PID 4964 wrote to memory of 3788 4964 cmd.exe 89 PID 1432 wrote to memory of 4776 1432 666f0565a76217_JC.exe 90 PID 1432 wrote to memory of 4776 1432 666f0565a76217_JC.exe 90 PID 1432 wrote to memory of 4776 1432 666f0565a76217_JC.exe 90 PID 4776 wrote to memory of 5064 4776 cmd.exe 92 PID 4776 wrote to memory of 5064 4776 cmd.exe 92 PID 4776 wrote to memory of 5064 4776 cmd.exe 92 PID 4776 wrote to memory of 2016 4776 cmd.exe 94 PID 4776 wrote to memory of 2016 4776 cmd.exe 94 PID 4776 wrote to memory of 2016 4776 cmd.exe 94 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2016 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\666f0565a76217_JC.exe"C:\Users\Admin\AppData\Local\Temp\666f0565a76217_JC.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1122.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\mode.commode con cols=15 lines=33⤵PID:4536
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\1122.bat p3⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\mode.commode con cols=15 lines=34⤵PID:3788
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1133.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\mode.commode con cols=15 lines=33⤵PID:5064
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a +h +r "C:\test"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2016
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197B
MD5b4292e00eff53ec1da95e7225285e779
SHA1695289b0ffaa5ee7b4084304c976045806687ddd
SHA256dc4a1e18e67015e250c8bd71dcbce8d2234e73219b7dfcf8fd13d0733e4c2030
SHA51200dc64420d7b8fda21873e4dfe9ec5fc0aec15a296385ca801641f6a8894692f6aeada71445ef54330f1acf4be6ab436e4ad99f24933e844baa6055efd02f1b6
-
Filesize
146B
MD5d61001211982ac769bbb185be1950976
SHA1c856d74768d978bed799edfc07819fc28ba8f604
SHA25603d8643c798c6d1f7c25e3dde6f9a3cb17015295456e099af2681b4ba7895b27
SHA5127080a7d2c54d927960d42063eeea3514ada396c680108d3345660b69149daa446c38848f64138ec075cc7bc9c39112147fabda3fdd7826e763e1b6d1b87f23f1