6a096c8158da4e2453ba68fe0f780c2e4181c01f125d7831fc5d58a77faf792c

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2023 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

447KB
MD5

89f71046c8298c6ef2db92fe202f9b43
SHA1

1fad31eedaa7437e96f9a13f60e85c1d14afa08f
SHA256

6a096c8158da4e2453ba68fe0f780c2e4181c01f125d7831fc5d58a77faf792c
SHA512

972abc83a524cca9ac8c326c2d4e8cc49f4b877965ba6bce941b7a1b13ae7fd4306cffdb63e1bcbede44aca7a515a13d67db77045e502e8424e9d7d95e95a2d4
SSDEEP

6144:PW/OU+cR2lBLVa8MK1hmcRwpq/JiTTUh/:eR2jLt1hmcRwpq/JiTTUh/

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 4340 set thread context of 5052 4340 tmp.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tmp.execmd.exe

pid process

4340 tmp.exe
5052 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

tmp.execmd.exe

pid process

4340 tmp.exe
5052 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeManageVolumePrivilege 2804 svchost.exe

description	pid	process	target process
PID 4340 set thread context of 5052	4340	tmp.exe	cmd.exe

pid	process
4340	tmp.exe
5052	cmd.exe

pid	process
4340	tmp.exe
5052	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	2804	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

tmp.execmd.exe

description	pid	process	target process
PID 4340 wrote to memory of 5052	4340	tmp.exe	cmd.exe
PID 4340 wrote to memory of 5052	4340	tmp.exe	cmd.exe
PID 4340 wrote to memory of 5052	4340	tmp.exe	cmd.exe
PID 4340 wrote to memory of 5052	4340	tmp.exe	cmd.exe
PID 5052 wrote to memory of 2452	5052	cmd.exe	explorer.exe
PID 5052 wrote to memory of 2452	5052	cmd.exe	explorer.exe
PID 5052 wrote to memory of 2452	5052	cmd.exe	explorer.exe
PID 5052 wrote to memory of 2452	5052	cmd.exe	explorer.exe
PID 5052 wrote to memory of 2452	5052	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:2452

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1a6d7aee

Filesize
1.0MB

MD5
ce6b8fa133eee751b80d7db6cf22e2a7

SHA1
e9fbbab0a58638965b5722e994c098a6c366699e

SHA256
bb6243362e36710cf62f1dd2f94479f351210c8c102a77c2043dcb9e7e8c7c4b

SHA512
7f7cbec7dcce624357d6703b1c268bc2ef37939e509a64166425a31331aecf286421fd5d2f3ccb11c08191e5dd550cd5512d42fc068ede5974dc99bfc51e2bed

Download Submit
memory/2452-12-0x00007FFCF4F90000-0x00007FFCF5185000-memory.dmp

Filesize
2.0MB

Download
memory/2452-16-0x0000000000B00000-0x0000000000B7A000-memory.dmp

Filesize
488KB

Download
memory/2452-14-0x0000000000010000-0x0000000000443000-memory.dmp

Filesize
4.2MB

Download
memory/2452-15-0x0000000000B00000-0x0000000000B7A000-memory.dmp

Filesize
488KB

Download
memory/2452-13-0x0000000000B00000-0x0000000000B7A000-memory.dmp

Filesize
488KB

Download
memory/2804-57-0x000002225F690000-0x000002225F691000-memory.dmp

Filesize
4KB

Download
memory/2804-56-0x000002225F690000-0x000002225F691000-memory.dmp

Filesize
4KB

Download
memory/2804-54-0x000002225F660000-0x000002225F661000-memory.dmp

Filesize
4KB

Download
memory/2804-58-0x000002225F7A0000-0x000002225F7A1000-memory.dmp

Filesize
4KB

Download
memory/2804-38-0x0000022257340000-0x0000022257350000-memory.dmp

Filesize
64KB

Download
memory/2804-22-0x0000022257240000-0x0000022257250000-memory.dmp

Filesize
64KB

Download
memory/4340-4-0x00000000766E0000-0x000000007679F000-memory.dmp

Filesize
764KB

Download
memory/4340-2-0x00000000766E0000-0x000000007679F000-memory.dmp

Filesize
764KB

Download
memory/4340-3-0x00000000766E0000-0x000000007679F000-memory.dmp

Filesize
764KB

Download
memory/4340-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5052-10-0x0000000001080000-0x000000000113F000-memory.dmp

Filesize
764KB

Download
memory/5052-9-0x0000000001080000-0x000000000113F000-memory.dmp

Filesize
764KB

Download
memory/5052-7-0x00007FFCF4F90000-0x00007FFCF5185000-memory.dmp

Filesize
2.0MB

Download