d17a30ad362676dc0242de68d4107f9d5b7158a2d63039739e0f456da904043c

Analysis

max time kernel
29s
max time network
20s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
13/11/2023, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rmpg_myau (1).exe
Size

1.7MB
MD5

d1f546868502a147feaadb25e7c691c4
SHA1

ac6ae44123ed441c26d3d29dc334d9b9a0bc60c5
SHA256

d17a30ad362676dc0242de68d4107f9d5b7158a2d63039739e0f456da904043c
SHA512

2ca63c4ab83731db4492e1ff3916ac4d387553486e3b76e79ef3e23005e5bd2893b172fe12302b9ea312f15d0e042e2bf03a4a7b6923cd302b08bfec8fdfe82d
SSDEEP

49152:uBwrjbvDVom3it3gEBodCuh9MLKgmjFuR9:rnvDVomS5gcoP91gmwP

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4680	rmpg_myau (1).exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
4660	timeout.exe
320	timeout.exe
4936	timeout.exe
996	timeout.exe
4232	timeout.exe
1516	timeout.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery

T1057

pid	Process
3820	tasklist.exe
3396	tasklist.exe
216	tasklist.exe
4144	tasklist.exe
3172	tasklist.exe
1656	tasklist.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4680	rmpg_myau (1).exe
4680	rmpg_myau (1).exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	rmpg_myau (1).exe
Token: SeDebugPrivilege	3820	tasklist.exe
Token: SeDebugPrivilege	3396	tasklist.exe
Token: SeDebugPrivilege	216	tasklist.exe
Token: SeDebugPrivilege	4144	tasklist.exe
Token: SeDebugPrivilege	3172	tasklist.exe
Token: SeDebugPrivilege	1656	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4652	WMIC.exe
Token: SeSecurityPrivilege	4652	WMIC.exe
Token: SeTakeOwnershipPrivilege	4652	WMIC.exe
Token: SeLoadDriverPrivilege	4652	WMIC.exe
Token: SeSystemProfilePrivilege	4652	WMIC.exe
Token: SeSystemtimePrivilege	4652	WMIC.exe
Token: SeProfSingleProcessPrivilege	4652	WMIC.exe
Token: SeIncBasePriorityPrivilege	4652	WMIC.exe
Token: SeCreatePagefilePrivilege	4652	WMIC.exe
Token: SeBackupPrivilege	4652	WMIC.exe
Token: SeRestorePrivilege	4652	WMIC.exe
Token: SeShutdownPrivilege	4652	WMIC.exe
Token: SeDebugPrivilege	4652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4652	WMIC.exe
Token: SeRemoteShutdownPrivilege	4652	WMIC.exe
Token: SeUndockPrivilege	4652	WMIC.exe
Token: SeManageVolumePrivilege	4652	WMIC.exe
Token: 33	4652	WMIC.exe
Token: 34	4652	WMIC.exe
Token: 35	4652	WMIC.exe
Token: 36	4652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4652	WMIC.exe
Token: SeSecurityPrivilege	4652	WMIC.exe
Token: SeTakeOwnershipPrivilege	4652	WMIC.exe
Token: SeLoadDriverPrivilege	4652	WMIC.exe
Token: SeSystemProfilePrivilege	4652	WMIC.exe
Token: SeSystemtimePrivilege	4652	WMIC.exe
Token: SeProfSingleProcessPrivilege	4652	WMIC.exe
Token: SeIncBasePriorityPrivilege	4652	WMIC.exe
Token: SeCreatePagefilePrivilege	4652	WMIC.exe
Token: SeBackupPrivilege	4652	WMIC.exe
Token: SeRestorePrivilege	4652	WMIC.exe
Token: SeShutdownPrivilege	4652	WMIC.exe
Token: SeDebugPrivilege	4652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4652	WMIC.exe
Token: SeRemoteShutdownPrivilege	4652	WMIC.exe
Token: SeUndockPrivilege	4652	WMIC.exe
Token: SeManageVolumePrivilege	4652	WMIC.exe
Token: 33	4652	WMIC.exe
Token: 34	4652	WMIC.exe
Token: 35	4652	WMIC.exe
Token: 36	4652	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 1344	4680	rmpg_myau (1).exe	71
PID 4680 wrote to memory of 1344	4680	rmpg_myau (1).exe	71
PID 4680 wrote to memory of 1344	4680	rmpg_myau (1).exe	71
PID 4680 wrote to memory of 4972	4680	rmpg_myau (1).exe	73
PID 4680 wrote to memory of 4972	4680	rmpg_myau (1).exe	73
PID 4680 wrote to memory of 4972	4680	rmpg_myau (1).exe	73
PID 1344 wrote to memory of 2320	1344	cmd.exe	74
PID 1344 wrote to memory of 2320	1344	cmd.exe	74
PID 1344 wrote to memory of 2320	1344	cmd.exe	74
PID 1344 wrote to memory of 3820	1344	cmd.exe	75
PID 1344 wrote to memory of 3820	1344	cmd.exe	75
PID 1344 wrote to memory of 3820	1344	cmd.exe	75
PID 1344 wrote to memory of 3900	1344	cmd.exe	76
PID 1344 wrote to memory of 3900	1344	cmd.exe	76
PID 1344 wrote to memory of 3900	1344	cmd.exe	76
PID 1344 wrote to memory of 4660	1344	cmd.exe	78
PID 1344 wrote to memory of 4660	1344	cmd.exe	78
PID 1344 wrote to memory of 4660	1344	cmd.exe	78
PID 1344 wrote to memory of 3396	1344	cmd.exe	79
PID 1344 wrote to memory of 3396	1344	cmd.exe	79
PID 1344 wrote to memory of 3396	1344	cmd.exe	79
PID 1344 wrote to memory of 3764	1344	cmd.exe	80
PID 1344 wrote to memory of 3764	1344	cmd.exe	80
PID 1344 wrote to memory of 3764	1344	cmd.exe	80
PID 1344 wrote to memory of 320	1344	cmd.exe	81
PID 1344 wrote to memory of 320	1344	cmd.exe	81
PID 1344 wrote to memory of 320	1344	cmd.exe	81
PID 1344 wrote to memory of 216	1344	cmd.exe	82
PID 1344 wrote to memory of 216	1344	cmd.exe	82
PID 1344 wrote to memory of 216	1344	cmd.exe	82
PID 1344 wrote to memory of 228	1344	cmd.exe	83
PID 1344 wrote to memory of 228	1344	cmd.exe	83
PID 1344 wrote to memory of 228	1344	cmd.exe	83
PID 1344 wrote to memory of 4936	1344	cmd.exe	84
PID 1344 wrote to memory of 4936	1344	cmd.exe	84
PID 1344 wrote to memory of 4936	1344	cmd.exe	84
PID 1344 wrote to memory of 4144	1344	cmd.exe	85
PID 1344 wrote to memory of 4144	1344	cmd.exe	85
PID 1344 wrote to memory of 4144	1344	cmd.exe	85
PID 1344 wrote to memory of 4688	1344	cmd.exe	86
PID 1344 wrote to memory of 4688	1344	cmd.exe	86
PID 1344 wrote to memory of 4688	1344	cmd.exe	86
PID 1344 wrote to memory of 996	1344	cmd.exe	87
PID 1344 wrote to memory of 996	1344	cmd.exe	87
PID 1344 wrote to memory of 996	1344	cmd.exe	87
PID 1344 wrote to memory of 3172	1344	cmd.exe	88
PID 1344 wrote to memory of 3172	1344	cmd.exe	88
PID 1344 wrote to memory of 3172	1344	cmd.exe	88
PID 1344 wrote to memory of 348	1344	cmd.exe	89
PID 1344 wrote to memory of 348	1344	cmd.exe	89
PID 1344 wrote to memory of 348	1344	cmd.exe	89
PID 1344 wrote to memory of 4232	1344	cmd.exe	90
PID 1344 wrote to memory of 4232	1344	cmd.exe	90
PID 1344 wrote to memory of 4232	1344	cmd.exe	90
PID 1344 wrote to memory of 1656	1344	cmd.exe	91
PID 1344 wrote to memory of 1656	1344	cmd.exe	91
PID 1344 wrote to memory of 1656	1344	cmd.exe	91
PID 1344 wrote to memory of 1456	1344	cmd.exe	92
PID 1344 wrote to memory of 1456	1344	cmd.exe	92
PID 1344 wrote to memory of 1456	1344	cmd.exe	92
PID 1344 wrote to memory of 1516	1344	cmd.exe	93
PID 1344 wrote to memory of 1516	1344	cmd.exe	93
PID 1344 wrote to memory of 1516	1344	cmd.exe	93
PID 1344 wrote to memory of 2148	1344	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe
"C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i_be_where_the_black_mold_grow.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "WindowTitle eq C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- - C:\Windows\SysWOW64\find.exe
    find ":"
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4660
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "WindowTitle eq C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
- - C:\Windows\SysWOW64\find.exe
    find ":"
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:320
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "WindowTitle eq C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- - C:\Windows\SysWOW64\find.exe
    find ":"
    3⤵
    PID:228
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4936
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "WindowTitle eq C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4144
- - C:\Windows\SysWOW64\find.exe
    find ":"
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:996
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "WindowTitle eq C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
- - C:\Windows\SysWOW64\find.exe
    find ":"
    3⤵
    PID:348
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4232
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "WindowTitle eq C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\SysWOW64\find.exe
    find ":"
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 20 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_useraccount where name='Admin' get sid"
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_useraccount where name='Admin' get sid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4652
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-2508097367-364665605-1201309312-1000" /f
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\UserSettings\S-1-5-21-2508097367-364665605-1201309312-1000" /f
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps" /f
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2508097367-364665605-1201309312-1000\Microsoft\Windows\CurrentVersion\Search\RecentApps" /f
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.exe" /f
    3⤵
    PID:164
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.exe" /f
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2508097367-364665605-1201309312-1000\Software\WinRAR\DialogEditHistory\ArcName" /f
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\exe" /f
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*" /f
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\exe" /f
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*" /f
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\exe" /f
    3⤵
    PID:364
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /f
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$$windows.data.taskflow.shellactivities\Current" /f
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe.FriendlyAppName" /F
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe.ApplicationCompany" /F
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe" /F
    3⤵
    PID:880
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe.FriendlyAppName" /F
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe.ApplicationCompany" /F
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe" /F
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Users\Admin\AppData\Local\Temp\rmpg_myau (1).exe" /F
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\Hfref\Nqzva\NccQngn\Ybpny\Grzc\ezct_zlnh (1).rkr" /F
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FTH\State" /f
    3⤵
    PID:432
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" /f
    3⤵
    - Modifies registry class
    PID:360
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" /f
    3⤵
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\i_be_where_the_black_mold_grow.bat

Filesize
5KB

MD5
f09115e95dd026363c35a2dd533e9825

SHA1
899d260b9190faf85ce4aef93221476a9deac3c4

SHA256
beebf43041246d7c97b70da9886ce608e588f95a573a60646bd75fe858c189dc

SHA512
4c5a609731c7de4351e0127653b7042db70dfdcf22ab0d65683077529ac0f96670ce81b88941954734f3cc3c4a3fa72f44be74291e8b2e6523bce07de5ab4100

Download Submit
memory/4680-1-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/4680-0-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4680-2-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4680-9-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download