6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723

Analysis

max time kernel
126s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2023, 18:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe
Size

1.3MB
MD5

35b611cdea14a62de14b1f8471162853
SHA1

f138441d6987c1f57d448965bc64f9bc417d3844
SHA256

6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723
SHA512

b75ed07047c03174cc8a3f86808786200fb0e74e051bee758ccefc64cbea98915927c86ca799daff7ec44256674cf4159682cae375bfc570cdc3e89947e65e6b
SSDEEP

24576:hGtcJ+P7/Nx4aZcoootnwKDJiBPrMpG0mFmcyNCFZnI9QU3:6D1qaZcH6wGiBPD02mLYbc

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 60 set thread context of 1884	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
960	ipconfig.exe
1800	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1884	AppLaunch.exe
1884	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe
Token: SeDebugPrivilege	1884	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1884	AppLaunch.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 4956	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	86
PID 60 wrote to memory of 4956	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	86
PID 60 wrote to memory of 4956	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	86
PID 4956 wrote to memory of 960	4956	cmd.exe	89
PID 4956 wrote to memory of 960	4956	cmd.exe	89
PID 4956 wrote to memory of 960	4956	cmd.exe	89
PID 60 wrote to memory of 3124	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	94
PID 60 wrote to memory of 3124	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	94
PID 60 wrote to memory of 3124	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	94
PID 3124 wrote to memory of 1800	3124	cmd.exe	96
PID 3124 wrote to memory of 1800	3124	cmd.exe	96
PID 3124 wrote to memory of 1800	3124	cmd.exe	96
PID 60 wrote to memory of 1884	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	97
PID 60 wrote to memory of 1884	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	97
PID 60 wrote to memory of 1884	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	97
PID 60 wrote to memory of 1884	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	97
PID 60 wrote to memory of 1884	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	97
PID 60 wrote to memory of 1884	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	97
PID 60 wrote to memory of 1884	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	97
PID 60 wrote to memory of 1884	60	6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe	97

C:\Users\Admin\AppData\Local\Temp\6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6544731644361dc0564b8286eafbfcc5e57c1a1fd5fbbbcb3f8316f81c6b3723_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1884

Network

DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

2.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

1.202.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.202.248.87.in-addr.arpa

IN PTR

Response

1.202.248.87.in-addr.arpa

IN PTR

https-87-248-202-1amsllnwnet
DNS

203.151.224.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.151.224.20.in-addr.arpa

IN PTR

Response
DNS

169.117.168.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

169.117.168.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

2.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

1.202.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.202.248.87.in-addr.arpa
8.8.8.8:53

203.151.224.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

203.151.224.20.in-addr.arpa
8.8.8.8:53

169.117.168.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

169.117.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-134-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/60-133-0x00000000008F0000-0x0000000000A3C000-memory.dmp

Filesize
1.3MB

Download
memory/60-135-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/60-136-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/60-137-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/60-138-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/60-142-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-139-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-140-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-144-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-146-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-148-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-152-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-150-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-154-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-158-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-156-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-160-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-162-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-164-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-166-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-168-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-170-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-172-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-174-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-176-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-178-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-180-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-182-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-184-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-186-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-188-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-190-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-192-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-194-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-196-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-198-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-200-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-202-0x0000000006AB0000-0x0000000006B75000-memory.dmp

Filesize
788KB

Download
memory/60-1215-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/60-1216-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/60-1217-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/60-1220-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/1884-1221-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/1884-1222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1884-1223-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/1884-1224-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/1884-1225-0x0000000006160000-0x00000000061B0000-memory.dmp

Filesize
320KB

Download
memory/1884-1226-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/1884-1227-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.