3c47a384da2b6fe0151e5dcfb8a3333f81c7eb84d0b7cb47ddb92d968802c8ee

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 10:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6c294acbbe42f8b78db8f63bf91f1d40_JC.exe
Size

124KB
MD5

6c294acbbe42f8b78db8f63bf91f1d40
SHA1

7e16cdb2b1afa441041d1c3c614dc52e0dad3b3c
SHA256

3c47a384da2b6fe0151e5dcfb8a3333f81c7eb84d0b7cb47ddb92d968802c8ee
SHA512

e74c65bad0e68830e169c8b92bcfb8dfd4c8a7120b6eec780e021a8dfefd9fafdf4016f67eb47982407814f92befbca6ee934271b1fc6e0a1f922c17c86e4bc1
SSDEEP

3072:cq8f/oic1i9uTAlPQSDwEyWefHEvGdxETCpPJ:z8f/U1iF/sUGdxET

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	6c294acbbe42f8b78db8f63bf91f1d40_JC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2052	2972	6c294acbbe42f8b78db8f63bf91f1d40_JC.exe	28
PID 2972 wrote to memory of 2052	2972	6c294acbbe42f8b78db8f63bf91f1d40_JC.exe	28
PID 2972 wrote to memory of 2052	2972	6c294acbbe42f8b78db8f63bf91f1d40_JC.exe	28
PID 2972 wrote to memory of 2052	2972	6c294acbbe42f8b78db8f63bf91f1d40_JC.exe	28
PID 2052 wrote to memory of 2616	2052	cmd.exe	30
PID 2052 wrote to memory of 2616	2052	cmd.exe	30
PID 2052 wrote to memory of 2616	2052	cmd.exe	30
PID 2052 wrote to memory of 2616	2052	cmd.exe	30

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2616	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6c294acbbe42f8b78db8f63bf91f1d40_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6c294acbbe42f8b78db8f63bf91f1d40_JC.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\jat962E.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\6c294acbbe42f8b78db8f63bf91f1d40_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\6c294acbbe42f8b78db8f63bf91f1d40_JC.exe"
    3⤵
    - Views/modifies file attributes
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\jat962E.tmp.bat

Filesize
57B

MD5
1f26a0eb97fe5c226f14c4d89ada7870

SHA1
6c3c809e0caa446fa7282fca4d9141847d916437

SHA256
d2c50f04deb73d8be3e0b56293a9db6aa59cd192c2daf02bb58c01fe4aca5465

SHA512
ff462dd2c99377f43c28fb9fc081c3990ee87e8e647068b1f60b58c38a5077abbfbfcbe9fb9c621e2bb4dcf18e7527065c13ac720edfc9003b8b45bb2419b29c

Download Submit
C:\Users\Admin\AppData\Local\jat962E.tmp.bat

Filesize
57B

MD5
1f26a0eb97fe5c226f14c4d89ada7870

SHA1
6c3c809e0caa446fa7282fca4d9141847d916437

SHA256
d2c50f04deb73d8be3e0b56293a9db6aa59cd192c2daf02bb58c01fe4aca5465

SHA512
ff462dd2c99377f43c28fb9fc081c3990ee87e8e647068b1f60b58c38a5077abbfbfcbe9fb9c621e2bb4dcf18e7527065c13ac720edfc9003b8b45bb2419b29c

Download Submit
memory/2972-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2972-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download