94e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24

Analysis

max time kernel
49s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2023 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rootkits/044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
Size

246KB
MD5

5b65e0442761c3ba7ab13f19e696a3ad
SHA1

840cd5fabb617cdfd848ff29253b4cce79213a35
SHA256

044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d
SHA512

a5af3f57bbeea72a98fa3fcf499f98e568994a9ea29ab5558fc691d83d97decf2c9aa17d2f157442baf63c06b8fcc3c604a5098289c991cd7b061cb22cd64ec7
SSDEEP

3072:dZvq0Fnr1gWPgOYVkN6rnhccEYMY2wuoyq8pq+8MhHRIK8k4B7KHpwRXDYNdY2vx:dZvdr1bkVkNwzEJwu1Z/L8hgpwZY79

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

pid	process
4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

description pid process

Token: SeDebugPrivilege 4984 044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

description	pid	process
Token: SeDebugPrivilege	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exelsass.exe

description	pid	process	target process
PID 4984 wrote to memory of 632	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	winlogon.exe
PID 4984 wrote to memory of 692	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	lsass.exe
PID 4984 wrote to memory of 972	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 692 wrote to memory of 2544	692	lsass.exe	sysmon.exe
PID 4984 wrote to memory of 404	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	dwm.exe
PID 4984 wrote to memory of 444	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1040	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1064	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1112	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1216	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1248	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1336	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1352	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1368	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1464	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1472	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1536	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 4984 wrote to memory of 1544	4984	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1216

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\Rootkits\044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
"C:\Users\Admin\AppData\Local\Temp\Rootkits\044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-14-0x0000020ADDD60000-0x0000020ADDD8A000-memory.dmp

Filesize
168KB

Download
memory/404-25-0x0000020ADDD60000-0x0000020ADDD8A000-memory.dmp

Filesize
168KB

Download
memory/444-30-0x000001BFB2B60000-0x000001BFB2B8A000-memory.dmp

Filesize
168KB

Download
memory/444-24-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/444-21-0x000001BFB2B60000-0x000001BFB2B8A000-memory.dmp

Filesize
168KB

Download
memory/632-2-0x0000022E490A0000-0x0000022E490C3000-memory.dmp

Filesize
140KB

Download
memory/632-8-0x00007FFFCE86D000-0x00007FFFCE86E000-memory.dmp

Filesize
4KB

Download
memory/632-5-0x0000022E490D0000-0x0000022E490FA000-memory.dmp

Filesize
168KB

Download
memory/632-11-0x00007FFFCE86F000-0x00007FFFCE870000-memory.dmp

Filesize
4KB

Download
memory/632-55-0x0000022E490D0000-0x0000022E490FA000-memory.dmp

Filesize
168KB

Download
memory/692-19-0x00007FFFCE86D000-0x00007FFFCE86E000-memory.dmp

Filesize
4KB

Download
memory/692-16-0x000002DA9ED40000-0x000002DA9ED6A000-memory.dmp

Filesize
168KB

Download
memory/692-7-0x000002DA9ED40000-0x000002DA9ED6A000-memory.dmp

Filesize
168KB

Download
memory/692-9-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/972-28-0x00007FFFCE86C000-0x00007FFFCE86D000-memory.dmp

Filesize
4KB

Download
memory/972-13-0x000001FD87FE0000-0x000001FD8800A000-memory.dmp

Filesize
168KB

Download
memory/972-22-0x000001FD87FE0000-0x000001FD8800A000-memory.dmp

Filesize
168KB

Download
memory/972-17-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/1040-23-0x000001E9F2140000-0x000001E9F216A000-memory.dmp

Filesize
168KB

Download
memory/1040-26-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/1040-31-0x000001E9F2140000-0x000001E9F216A000-memory.dmp

Filesize
168KB

Download
memory/1064-35-0x00000298A9D90000-0x00000298A9DBA000-memory.dmp

Filesize
168KB

Download
memory/1064-37-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/1064-60-0x00000298A9D90000-0x00000298A9DBA000-memory.dmp

Filesize
168KB

Download
memory/1112-66-0x00000294C2D10000-0x00000294C2D3A000-memory.dmp

Filesize
168KB

Download
memory/1112-42-0x00000294C2D10000-0x00000294C2D3A000-memory.dmp

Filesize
168KB

Download
memory/1112-44-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/1216-46-0x0000028EAED90000-0x0000028EAEDBA000-memory.dmp

Filesize
168KB

Download
memory/1216-71-0x0000028EAED90000-0x0000028EAEDBA000-memory.dmp

Filesize
168KB

Download
memory/1216-45-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/1216-41-0x0000028EAED90000-0x0000028EAEDBA000-memory.dmp

Filesize
168KB

Download
memory/1248-50-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/1248-47-0x00000212E7BA0000-0x00000212E7BCA000-memory.dmp

Filesize
168KB

Download
memory/1248-88-0x00000212E7BA0000-0x00000212E7BCA000-memory.dmp

Filesize
168KB

Download
memory/1336-106-0x00000231BA490000-0x00000231BA4BA000-memory.dmp

Filesize
168KB

Download
memory/1336-54-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/1336-52-0x00000231BA490000-0x00000231BA4BA000-memory.dmp

Filesize
168KB

Download
memory/1352-59-0x000001EBEE510000-0x000001EBEE53A000-memory.dmp

Filesize
168KB

Download
memory/1352-61-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/1368-65-0x0000028538D70000-0x0000028538D9A000-memory.dmp

Filesize
168KB

Download
memory/1368-75-0x0000028538D70000-0x0000028538D9A000-memory.dmp

Filesize
168KB

Download
memory/1368-68-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/1464-69-0x00000297CB730000-0x00000297CB75A000-memory.dmp

Filesize
168KB

Download
memory/1464-72-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/1464-79-0x00000297CB730000-0x00000297CB75A000-memory.dmp

Filesize
168KB

Download
memory/1472-77-0x00000242F15B0000-0x00000242F15DA000-memory.dmp

Filesize
168KB

Download
memory/1472-80-0x00007FFF8E850000-0x00007FFF8E860000-memory.dmp

Filesize
64KB

Download
memory/1472-92-0x00000242F15B0000-0x00000242F15DA000-memory.dmp

Filesize
168KB

Download
memory/1536-81-0x000002283F290000-0x000002283F2BA000-memory.dmp

Filesize
168KB

Download
memory/1544-85-0x000002AB6D770000-0x000002AB6D79A000-memory.dmp

Filesize
168KB

Download
memory/1664-99-0x000001EF5B4A0000-0x000001EF5B4CA000-memory.dmp

Filesize
168KB

Download
memory/1676-96-0x00000282D40B0000-0x00000282D40DA000-memory.dmp

Filesize
168KB

Download
memory/1752-103-0x00000212755A0000-0x00000212755CA000-memory.dmp

Filesize
168KB

Download
memory/1784-110-0x00000239FAD40000-0x00000239FAD6A000-memory.dmp

Filesize
168KB

Download
memory/1872-114-0x000002446CBD0000-0x000002446CBFA000-memory.dmp

Filesize
168KB

Download
memory/4984-0-0x00007FFFCE7D0000-0x00007FFFCE9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-1-0x00007FFFCC820000-0x00007FFFCC8DE000-memory.dmp

Filesize
760KB

Download