37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271

Analysis

max time kernel
7s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2023, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe
Size

1.4MB
MD5

9c966cde636c37444467a2e5f11d651d
SHA1

2cb508dc8ac3333803cd4a0c7617a92cf5f89ae1
SHA256

37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271
SHA512

80b76e7603bb95795065f83ae02f30ea70f8cce31c97758d85871f24a3d32f0f88dc4ced51f1ffff02beefc42e23b155656439c020f559e311b31b0648b44097
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4948	powershell.exe
4948	powershell.exe
1328	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	900	WMIC.exe
Token: SeSecurityPrivilege	900	WMIC.exe
Token: SeTakeOwnershipPrivilege	900	WMIC.exe
Token: SeLoadDriverPrivilege	900	WMIC.exe
Token: SeSystemProfilePrivilege	900	WMIC.exe
Token: SeSystemtimePrivilege	900	WMIC.exe
Token: SeProfSingleProcessPrivilege	900	WMIC.exe
Token: SeIncBasePriorityPrivilege	900	WMIC.exe
Token: SeCreatePagefilePrivilege	900	WMIC.exe
Token: SeBackupPrivilege	900	WMIC.exe
Token: SeRestorePrivilege	900	WMIC.exe
Token: SeShutdownPrivilege	900	WMIC.exe
Token: SeDebugPrivilege	900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	900	WMIC.exe
Token: SeRemoteShutdownPrivilege	900	WMIC.exe
Token: SeUndockPrivilege	900	WMIC.exe
Token: SeManageVolumePrivilege	900	WMIC.exe
Token: 33	900	WMIC.exe
Token: 34	900	WMIC.exe
Token: 35	900	WMIC.exe
Token: 36	900	WMIC.exe
Token: SeIncreaseQuotaPrivilege	900	WMIC.exe
Token: SeSecurityPrivilege	900	WMIC.exe
Token: SeTakeOwnershipPrivilege	900	WMIC.exe
Token: SeLoadDriverPrivilege	900	WMIC.exe
Token: SeSystemProfilePrivilege	900	WMIC.exe
Token: SeSystemtimePrivilege	900	WMIC.exe
Token: SeProfSingleProcessPrivilege	900	WMIC.exe
Token: SeIncBasePriorityPrivilege	900	WMIC.exe
Token: SeCreatePagefilePrivilege	900	WMIC.exe
Token: SeBackupPrivilege	900	WMIC.exe
Token: SeRestorePrivilege	900	WMIC.exe
Token: SeShutdownPrivilege	900	WMIC.exe
Token: SeDebugPrivilege	900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	900	WMIC.exe
Token: SeRemoteShutdownPrivilege	900	WMIC.exe
Token: SeUndockPrivilege	900	WMIC.exe
Token: SeManageVolumePrivilege	900	WMIC.exe
Token: 33	900	WMIC.exe
Token: 34	900	WMIC.exe
Token: 35	900	WMIC.exe
Token: 36	900	WMIC.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 808	1136	37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe	86
PID 1136 wrote to memory of 808	1136	37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe	86
PID 1136 wrote to memory of 808	1136	37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe	86
PID 808 wrote to memory of 5044	808	cmd.exe	89
PID 808 wrote to memory of 5044	808	cmd.exe	89
PID 808 wrote to memory of 5044	808	cmd.exe	89
PID 5044 wrote to memory of 2076	5044	cmd.exe	90
PID 5044 wrote to memory of 2076	5044	cmd.exe	90
PID 5044 wrote to memory of 2076	5044	cmd.exe	90
PID 808 wrote to memory of 4576	808	cmd.exe	91
PID 808 wrote to memory of 4576	808	cmd.exe	91
PID 808 wrote to memory of 4576	808	cmd.exe	91
PID 4576 wrote to memory of 900	4576	cmd.exe	92
PID 4576 wrote to memory of 900	4576	cmd.exe	92
PID 4576 wrote to memory of 900	4576	cmd.exe	92
PID 808 wrote to memory of 4948	808	cmd.exe	94
PID 808 wrote to memory of 4948	808	cmd.exe	94
PID 808 wrote to memory of 4948	808	cmd.exe	94
PID 808 wrote to memory of 1328	808	cmd.exe	98
PID 808 wrote to memory of 1328	808	cmd.exe	98
PID 808 wrote to memory of 1328	808	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe
"C:\Users\Admin\AppData\Local\Temp\37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    PID:880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
14e7e00dc2f0c42d2d79431c8e6c8fe5

SHA1
2530b8585b26ec8fd0c868da198d43c642cadbde

SHA256
672716a315c183a6a847c65bfc2bb8f6dd650216081d811107c03c3380cb7162

SHA512
0b52c985744c28f205954ec11a6353b2c0e6df877a2bbbad205110bfefc6877b4c3296660d7d0c44475233f8d1c5febf8c08d8d11d0c0041c126022a083813ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
93d4d79ae669c36589721171ae4bb535

SHA1
002aa120be3baf2e8312eccd7ad48680bed2be96

SHA256
4bb3374302148eccf1b4a20dd862a71aea23d8ff8fc283269420d6a6a5ddc2e5

SHA512
dea241521f09f302de82bb046a14b8e24a207fc01f22592d5d0b29b331537dd535cf97e02b7cca992f0cdd66e560ccedcbf7a75bdc5a0ec992d9bc8963dd8879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
f66c19d2dbc4ef9fbb0f371b9cfccf95

SHA1
348a8ace65c2a896d665ef28d96f442a041aacc4

SHA256
3f0cd8e4a0536391b84f28a8f758cedf1df7c58f1a9a0e4fb228fdfcb905bc19

SHA512
a1422693247ffe9ae2b6e51f9d45bb05e6f8970636cf0ebb755829650152c3a08c5c8ad8ba199e1d2b10c09c1409b7175716d2514c1f333d69444ed44c31947c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x03jt4ij.fqo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
memory/880-199-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/880-198-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/880-186-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/880-185-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/880-184-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/1328-169-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/1328-168-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/1328-170-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/1328-182-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/1328-183-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/3844-200-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/3844-215-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/3844-214-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3844-202-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3844-201-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4948-151-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/4948-149-0x0000000005590000-0x0000000005BB8000-memory.dmp

Filesize
6.2MB

Download
memory/4948-146-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/4948-148-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/4948-150-0x0000000005510000-0x0000000005532000-memory.dmp

Filesize
136KB

Download
memory/4948-166-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/4948-152-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/4948-147-0x0000000002F10000-0x0000000002F46000-memory.dmp

Filesize
216KB

Download
memory/4948-162-0x00000000064E0000-0x00000000064FE000-memory.dmp

Filesize
120KB

Download
memory/4948-163-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download