333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf

Analysis

max time kernel
141s
max time network
127s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf.exe
Size

199KB
MD5

f7fb67b93eddc23f122d98ceedd3eb11
SHA1

f7e466e43b0e22915cd4bab1ca38b34ff5fe17f0
SHA256

333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf
SHA512

e7aa937ecae9b8b3d408eee78f38b68c95145dcd0400628155b69450ae26c3c56c28da87b393f2a490c89c6df950d5d431cd7a3aa7e6fb7b895fa355d4eae44d
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOD:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	rwmhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\rwmhost.exe	333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf.exe
File opened for modification	C:\Windows\Debug\rwmhost.exe	333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rwmhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rwmhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2060	333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3056	2060	333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf.exe	29
PID 2060 wrote to memory of 3056	2060	333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf.exe	29
PID 2060 wrote to memory of 3056	2060	333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf.exe	29
PID 2060 wrote to memory of 3056	2060	333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf.exe	29

C:\Users\Admin\AppData\Local\Temp\333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf.exe
"C:\Users\Admin\AppData\Local\Temp\333bc32326a9e14e0e2aaaf220a45c75a82bbd1664eef56d6da563c4a45aa6bf.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\333BC3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3056

C:\Windows\Debug\rwmhost.exe
C:\Windows\Debug\rwmhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\rwmhost.exe

Filesize
199KB

MD5
4156e97c8d5baa5d147e6225bd808fe5

SHA1
fe7bdc03a6e084d5a32e4146e551ed067c02f675

SHA256
ab4437537c8b2fc35612fedaa0b917d53651871fa02ffa912a2c82a05a9183f8

SHA512
86b724264360463e884303d16a8cf1324e40b6f084e2011da4de445c62ae3ac1d9ef675cd4db4073246c07f3e6264fd65f11cf18e9733dc8f06bc2cb511417c5

Download Submit