a5bc3bb46a59bc8a052b9790b490fac15759e3fbac80fc09c8163c67c27529aa

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5bc3bb46a59bc8a052b9790b490fac15759e3fbac80fc09c8163c67c27529aa.exe
Size

197KB
MD5

cbb50fe5486c223a9f022679692d8317
SHA1

e7e1b2320d7be6137d3748cfc43066a70eb944bc
SHA256

a5bc3bb46a59bc8a052b9790b490fac15759e3fbac80fc09c8163c67c27529aa
SHA512

e2e157953acfe0b2be7d353ab8a072e443327b7474a9eafafaafa4cb59b224512d557bd50a4ceb1acc0bc6d046fbb5b7761b932b7a7850113c57c524731fd282
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOO:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1344	mewhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\mewhost.exe	a5bc3bb46a59bc8a052b9790b490fac15759e3fbac80fc09c8163c67c27529aa.exe
File opened for modification	C:\Windows\Debug\mewhost.exe	a5bc3bb46a59bc8a052b9790b490fac15759e3fbac80fc09c8163c67c27529aa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	244	a5bc3bb46a59bc8a052b9790b490fac15759e3fbac80fc09c8163c67c27529aa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 5020	244	a5bc3bb46a59bc8a052b9790b490fac15759e3fbac80fc09c8163c67c27529aa.exe	83
PID 244 wrote to memory of 5020	244	a5bc3bb46a59bc8a052b9790b490fac15759e3fbac80fc09c8163c67c27529aa.exe	83
PID 244 wrote to memory of 5020	244	a5bc3bb46a59bc8a052b9790b490fac15759e3fbac80fc09c8163c67c27529aa.exe	83

C:\Users\Admin\AppData\Local\Temp\a5bc3bb46a59bc8a052b9790b490fac15759e3fbac80fc09c8163c67c27529aa.exe
"C:\Users\Admin\AppData\Local\Temp\a5bc3bb46a59bc8a052b9790b490fac15759e3fbac80fc09c8163c67c27529aa.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A5BC3B~1.EXE > nul
  2⤵
  PID:5020

C:\Windows\Debug\mewhost.exe
C:\Windows\Debug\mewhost.exe
1⤵
- Executes dropped EXE
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\mewhost.exe

Filesize
198KB

MD5
7e2f0fb828279eac3a6000625483cf6a

SHA1
f4ef793cb78f1cc087ae11b74015af44f3188ee3

SHA256
d65cfe818150efae4232d815e12f40d2b9fb34db77881e4bad3b9074dc2880e2

SHA512
2dd61c205b2b100f85d8c6ead3800e36f4cf6b5296f459941cb273ed19eb7b38aadc125e38b6469937ffa7d25112753d40eea0572c19e871faaccccea1b6a55a

Download Submit
C:\Windows\debug\mewhost.exe

Filesize
198KB

MD5
7e2f0fb828279eac3a6000625483cf6a

SHA1
f4ef793cb78f1cc087ae11b74015af44f3188ee3

SHA256
d65cfe818150efae4232d815e12f40d2b9fb34db77881e4bad3b9074dc2880e2

SHA512
2dd61c205b2b100f85d8c6ead3800e36f4cf6b5296f459941cb273ed19eb7b38aadc125e38b6469937ffa7d25112753d40eea0572c19e871faaccccea1b6a55a

Download Submit