cbf90748695e4ca2e86940826f2c8b31384141956c3c06da9ec15e5c5bf8d3c7

Analysis

max time kernel
9s
max time network
7s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
02-08-2023 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbf90748695e4ca2e86940826f2c8b31384141956c3c06da9ec15e5c5bf8d3c7.exe
Size

1.4MB
MD5

6050a8462079e52a4832729c37fe1e9e
SHA1

181d883ddfd3bbf3491e094ac3d452cda856b8e8
SHA256

cbf90748695e4ca2e86940826f2c8b31384141956c3c06da9ec15e5c5bf8d3c7
SHA512

8e5587bad3f6b596eaac8fd99bdb61be6563f5183173c042b7ca12ed97c869938a50bd9bfa7a59d671369fd2535e8a20bf886d6c379e3cc03a0541e6d5076506
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
220	powershell.exe
220	powershell.exe
220	powershell.exe
2724	powershell.exe
2724	powershell.exe
2724	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3572	WMIC.exe
Token: SeSecurityPrivilege	3572	WMIC.exe
Token: SeTakeOwnershipPrivilege	3572	WMIC.exe
Token: SeLoadDriverPrivilege	3572	WMIC.exe
Token: SeSystemProfilePrivilege	3572	WMIC.exe
Token: SeSystemtimePrivilege	3572	WMIC.exe
Token: SeProfSingleProcessPrivilege	3572	WMIC.exe
Token: SeIncBasePriorityPrivilege	3572	WMIC.exe
Token: SeCreatePagefilePrivilege	3572	WMIC.exe
Token: SeBackupPrivilege	3572	WMIC.exe
Token: SeRestorePrivilege	3572	WMIC.exe
Token: SeShutdownPrivilege	3572	WMIC.exe
Token: SeDebugPrivilege	3572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3572	WMIC.exe
Token: SeRemoteShutdownPrivilege	3572	WMIC.exe
Token: SeUndockPrivilege	3572	WMIC.exe
Token: SeManageVolumePrivilege	3572	WMIC.exe
Token: 33	3572	WMIC.exe
Token: 34	3572	WMIC.exe
Token: 35	3572	WMIC.exe
Token: 36	3572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3572	WMIC.exe
Token: SeSecurityPrivilege	3572	WMIC.exe
Token: SeTakeOwnershipPrivilege	3572	WMIC.exe
Token: SeLoadDriverPrivilege	3572	WMIC.exe
Token: SeSystemProfilePrivilege	3572	WMIC.exe
Token: SeSystemtimePrivilege	3572	WMIC.exe
Token: SeProfSingleProcessPrivilege	3572	WMIC.exe
Token: SeIncBasePriorityPrivilege	3572	WMIC.exe
Token: SeCreatePagefilePrivilege	3572	WMIC.exe
Token: SeBackupPrivilege	3572	WMIC.exe
Token: SeRestorePrivilege	3572	WMIC.exe
Token: SeShutdownPrivilege	3572	WMIC.exe
Token: SeDebugPrivilege	3572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3572	WMIC.exe
Token: SeRemoteShutdownPrivilege	3572	WMIC.exe
Token: SeUndockPrivilege	3572	WMIC.exe
Token: SeManageVolumePrivilege	3572	WMIC.exe
Token: 33	3572	WMIC.exe
Token: 34	3572	WMIC.exe
Token: 35	3572	WMIC.exe
Token: 36	3572	WMIC.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3788	5048	cbf90748695e4ca2e86940826f2c8b31384141956c3c06da9ec15e5c5bf8d3c7.exe	70
PID 5048 wrote to memory of 3788	5048	cbf90748695e4ca2e86940826f2c8b31384141956c3c06da9ec15e5c5bf8d3c7.exe	70
PID 5048 wrote to memory of 3788	5048	cbf90748695e4ca2e86940826f2c8b31384141956c3c06da9ec15e5c5bf8d3c7.exe	70
PID 3788 wrote to memory of 1000	3788	cmd.exe	73
PID 3788 wrote to memory of 1000	3788	cmd.exe	73
PID 3788 wrote to memory of 1000	3788	cmd.exe	73
PID 1000 wrote to memory of 1684	1000	cmd.exe	74
PID 1000 wrote to memory of 1684	1000	cmd.exe	74
PID 1000 wrote to memory of 1684	1000	cmd.exe	74
PID 3788 wrote to memory of 3148	3788	cmd.exe	75
PID 3788 wrote to memory of 3148	3788	cmd.exe	75
PID 3788 wrote to memory of 3148	3788	cmd.exe	75
PID 3148 wrote to memory of 3572	3148	cmd.exe	76
PID 3148 wrote to memory of 3572	3148	cmd.exe	76
PID 3148 wrote to memory of 3572	3148	cmd.exe	76
PID 3788 wrote to memory of 3060	3788	cmd.exe	78
PID 3788 wrote to memory of 3060	3788	cmd.exe	78
PID 3788 wrote to memory of 3060	3788	cmd.exe	78
PID 3788 wrote to memory of 220	3788	cmd.exe	79
PID 3788 wrote to memory of 220	3788	cmd.exe	79
PID 3788 wrote to memory of 220	3788	cmd.exe	79
PID 3788 wrote to memory of 2724	3788	cmd.exe	80
PID 3788 wrote to memory of 2724	3788	cmd.exe	80
PID 3788 wrote to memory of 2724	3788	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\cbf90748695e4ca2e86940826f2c8b31384141956c3c06da9ec15e5c5bf8d3c7.exe
"C:\Users\Admin\AppData\Local\Temp\cbf90748695e4ca2e86940826f2c8b31384141956c3c06da9ec15e5c5bf8d3c7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
cdd37a0bdbee31392f3b833d90b9c190

SHA1
b827f9e08a371f0d68569b170416ff320c7e1969

SHA256
356dd829ba9de569ce5459bd8d7e5fb793f6a899a49a961f74c0ed05c2b7ee89

SHA512
69cf25757ea8b7fd388ff3b0b8c006228d72ee8290a80846fff711e16f5d3a51da036e64c304bd58bb461ac13c85f31e07e4cc1365f4aa9f401a617fa908c829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
531daaf5e79298040fa989003979191a

SHA1
2fecc1117b96c74a2d7df891952cd34946ba07aa

SHA256
0e6cd622fb059d9d68fdb03d686bfd93722f09f7bbfa0eecc456a01a5d8a235e

SHA512
40620450947a041faf74b33a7d2a02ca986931c88a4c3f3199331abbf0ee511e5631a5ccfa773a25491831c4c8f1145d8374ec296501be9fc60092f9db6ff1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
948f3326b2c072836b42dd88505be9e1

SHA1
8bfb8f1c4ad4da04e0138b8a101a6b850428116a

SHA256
a43cdbdb99268f64ecbff48cb220f038cf9611bae7390b30dc46a8b01e41b2e5

SHA512
045ffa8aaf73d15005a80ce546681f16e676d680126617e997c4d3c9189a3656dafa52fb3fdac9943e3b67427d02b521813f08c0d5d4a7f4865548ef53584893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
78c6c04719b1c3c527fbc51615b271e1

SHA1
d9630042109fb362ef0362f1d4fab218f696d5cd

SHA256
c6d54e9df03f4614cb6c6e8ebbbfb313ff8a84fd19a30c83069c744ac1a95efe

SHA512
75dcffad564ec945094ba18a456499c41e7027a4e0ffac1e2f505de2e36b246b2953af50875bfd8cbea323a2da3d6dfff2005a57ee52e9754740441de7735604

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhyypuem.qjo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
memory/220-180-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/220-179-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/220-167-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/220-166-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/220-165-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download
memory/220-183-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download
memory/2724-204-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download
memory/2724-186-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download
memory/2724-203-0x0000000006B70000-0x0000000006B80000-memory.dmp

Filesize
64KB

Download
memory/2724-200-0x0000000006B70000-0x0000000006B80000-memory.dmp

Filesize
64KB

Download
memory/2724-188-0x0000000006B70000-0x0000000006B80000-memory.dmp

Filesize
64KB

Download
memory/2724-187-0x0000000006B70000-0x0000000006B80000-memory.dmp

Filesize
64KB

Download
memory/3060-137-0x0000000006860000-0x0000000006870000-memory.dmp

Filesize
64KB

Download
memory/3060-136-0x0000000006860000-0x0000000006870000-memory.dmp

Filesize
64KB

Download
memory/3060-141-0x0000000007790000-0x00000000077F6000-memory.dmp

Filesize
408KB

Download
memory/3060-140-0x0000000007720000-0x0000000007786000-memory.dmp

Filesize
408KB

Download
memory/3060-139-0x0000000006E50000-0x0000000006E72000-memory.dmp

Filesize
136KB

Download
memory/3060-138-0x0000000006EA0000-0x00000000074C8000-memory.dmp

Filesize
6.2MB

Download
memory/3060-143-0x00000000076F0000-0x000000000770C000-memory.dmp

Filesize
112KB

Download
memory/3060-144-0x0000000007C20000-0x0000000007C6B000-memory.dmp

Filesize
300KB

Download
memory/3060-145-0x0000000007EF0000-0x0000000007F66000-memory.dmp

Filesize
472KB

Download
memory/3060-156-0x0000000006860000-0x0000000006870000-memory.dmp

Filesize
64KB

Download
memory/3060-161-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download
memory/3060-142-0x0000000007800000-0x0000000007B50000-memory.dmp

Filesize
3.3MB

Download
memory/3060-157-0x0000000006860000-0x0000000006870000-memory.dmp

Filesize
64KB

Download
memory/3060-134-0x0000000006760000-0x0000000006796000-memory.dmp

Filesize
216KB

Download
memory/3060-135-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download
memory/4336-227-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download
memory/4336-228-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/4336-229-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/5056-209-0x0000000007E10000-0x0000000007E5B000-memory.dmp

Filesize
300KB

Download
memory/5056-221-0x00000000068F0000-0x0000000006900000-memory.dmp

Filesize
64KB

Download
memory/5056-223-0x00000000068F0000-0x0000000006900000-memory.dmp

Filesize
64KB

Download
memory/5056-224-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download
memory/5056-207-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download