d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2023 12:59

Target

tmp.exe
Size

274KB
MD5

a0bfccb8cc68d350b02287d70507e70d
SHA1

3b274838cd098c2f26ece2928300fe4f1e24a9d4
SHA256

d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab
SHA512

2e697d859c3c40acf033b20716fd2ecf427dbd85db470fd42907090b17dd73b7ba2506a9c56836d75f9f52ffead67258c7fb24de03715293d63ba0c349ff8cec
SSDEEP

6144:PYa689fXW3LMiiTEqOyYKFEZWAQoAALLg6UM6KYUvjuyT2XH9PDD0:PYS9fXW+TEqdXkLg6YUrui2Xd7D0

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
4400	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4400 set thread context of 4420	4400	tmp.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4400	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 4420	4400	tmp.exe	81
PID 4400 wrote to memory of 4420	4400	tmp.exe	81
PID 4400 wrote to memory of 4420	4400	tmp.exe	81
PID 4400 wrote to memory of 4420	4400	tmp.exe	81

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\wkybeb.dll

Filesize
49KB

MD5
9da370474c2a7427495e83bed70b87ab

SHA1
de2b22ba5cf618e0fc6ff30a8927820f1544068a

SHA256
9cba1183ed6a9a89a34805730da01edaed2026b3d3cad0e3ef9710fbeb3ec442

SHA512
bc736a5dcf5d6e227773dd59747eeb0f0035f09bc93bb85d9dc78c48e1fa62a17cef3f200102a47b94fe868020caf52aa0e3cc93b93d26db483b46e5f7aef54a

Download Submit
memory/4400-139-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download
memory/4420-140-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4420-141-0x0000000000A40000-0x0000000000D8A000-memory.dmp

Filesize
3.3MB

Download
memory/4420-142-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download