d3f32d7dea3e4d41eed1238a269075c4030ddff3843cb286b1860a6de6ad000e

Analysis

max time kernel
71s
max time network
76s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
20/11/2023, 14:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3f32d7dea3e4d41eed1238a269075c4030ddff3843cb286b1860a6de6ad000e.exe
Size

89KB
MD5

8bc10ffcee089200f8a0c9012f1e8e79
SHA1

c3c29a18803173d8c283feb9a64af5d1d4877635
SHA256

d3f32d7dea3e4d41eed1238a269075c4030ddff3843cb286b1860a6de6ad000e
SHA512

3c52d2a75c80348e38fedce6d1ab44b786e7a5a76235235f9abe38718fb351e6d064f75489d719d75ee01d71568514533aae4175fc85710dcc6b0a99bd5ddc7a
SSDEEP

1536:D7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfPwEO+:f7DhdC6kzWypvaQ0FxyNTBfPP

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeIncreaseQuotaPrivilege	4516	powershell.exe
Token: SeSecurityPrivilege	4516	powershell.exe
Token: SeTakeOwnershipPrivilege	4516	powershell.exe
Token: SeLoadDriverPrivilege	4516	powershell.exe
Token: SeSystemProfilePrivilege	4516	powershell.exe
Token: SeSystemtimePrivilege	4516	powershell.exe
Token: SeProfSingleProcessPrivilege	4516	powershell.exe
Token: SeIncBasePriorityPrivilege	4516	powershell.exe
Token: SeCreatePagefilePrivilege	4516	powershell.exe
Token: SeBackupPrivilege	4516	powershell.exe
Token: SeRestorePrivilege	4516	powershell.exe
Token: SeShutdownPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeSystemEnvironmentPrivilege	4516	powershell.exe
Token: SeRemoteShutdownPrivilege	4516	powershell.exe
Token: SeUndockPrivilege	4516	powershell.exe
Token: SeManageVolumePrivilege	4516	powershell.exe
Token: 33	4516	powershell.exe
Token: 34	4516	powershell.exe
Token: 35	4516	powershell.exe
Token: 36	4516	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeIncreaseQuotaPrivilege	4208	powershell.exe
Token: SeSecurityPrivilege	4208	powershell.exe
Token: SeTakeOwnershipPrivilege	4208	powershell.exe
Token: SeLoadDriverPrivilege	4208	powershell.exe
Token: SeSystemProfilePrivilege	4208	powershell.exe
Token: SeSystemtimePrivilege	4208	powershell.exe
Token: SeProfSingleProcessPrivilege	4208	powershell.exe
Token: SeIncBasePriorityPrivilege	4208	powershell.exe
Token: SeCreatePagefilePrivilege	4208	powershell.exe
Token: SeBackupPrivilege	4208	powershell.exe
Token: SeRestorePrivilege	4208	powershell.exe
Token: SeShutdownPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeSystemEnvironmentPrivilege	4208	powershell.exe
Token: SeRemoteShutdownPrivilege	4208	powershell.exe
Token: SeUndockPrivilege	4208	powershell.exe
Token: SeManageVolumePrivilege	4208	powershell.exe
Token: 33	4208	powershell.exe
Token: 34	4208	powershell.exe
Token: 35	4208	powershell.exe
Token: 36	4208	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 5080	1500	d3f32d7dea3e4d41eed1238a269075c4030ddff3843cb286b1860a6de6ad000e.exe	72
PID 1500 wrote to memory of 5080	1500	d3f32d7dea3e4d41eed1238a269075c4030ddff3843cb286b1860a6de6ad000e.exe	72
PID 5080 wrote to memory of 4584	5080	cmd.exe	73
PID 5080 wrote to memory of 4584	5080	cmd.exe	73
PID 5080 wrote to memory of 4516	5080	cmd.exe	74
PID 5080 wrote to memory of 4516	5080	cmd.exe	74
PID 5080 wrote to memory of 4208	5080	cmd.exe	76
PID 5080 wrote to memory of 4208	5080	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\d3f32d7dea3e4d41eed1238a269075c4030ddff3843cb286b1860a6de6ad000e.exe
"C:\Users\Admin\AppData\Local\Temp\d3f32d7dea3e4d41eed1238a269075c4030ddff3843cb286b1860a6de6ad000e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AB15.tmp\AB16.tmp\AB17.bat C:\Users\Admin\AppData\Local\Temp\d3f32d7dea3e4d41eed1238a269075c4030ddff3843cb286b1860a6de6ad000e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\system32\mode.com
    MODE CON COLS=100 LINES=1
    3⤵
    PID:4584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -w hidden -Command Add-MpPreference -ExclusionPath "C:"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -w hidden -Command Add-MpPreference -ExclusionExtension ".exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
7033adcdceef2520521477b094e52cc7

SHA1
6dbdc3aba745a40a79f2eb659f2b427aaf5ff62e

SHA256
bb10a63597ebc56a9c5e558c7b5bed8c1dde4856f7604ab987998d10eda3ac4e

SHA512
af9249bd6a64e28d1b03ce962618ce2a7e5a55dc57d1dbc8efcf2e4142e74f40e58b144952981c3a86771a9fd207e73986130edf7b7dfde2495347e284e8287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
51d74e4f8246dff62ae7fd50817682f3

SHA1
dae54bd9dbcd71b20655e3ef6be3a5caee4d1bdb

SHA256
e83f0e38b56a3a0f0a4292744b913710e93db8003a9c79b5518004cbc6256d3f

SHA512
4398e419ba03baf238591d1c510358bf7efea2b51c8f88eee3f556dc4caa4c2039342b7de0c9e48a54000e230cb754d475203c776558051919c6cef97f9921f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB15.tmp\AB16.tmp\AB17.bat

Filesize
357B

MD5
1f08758269b2996a25ecfab794cd6482

SHA1
238037768b92f5f34c620421f60d4244c4c6446a

SHA256
9adffc282ab809eda1361cfab11f7fe801dd2eda8725a9233663c49157456864

SHA512
ef6580803006ae9df9910cc57d396accaebfdfc3e5a6959d26d48a91c92ac2102fed0677986cf2f49e6316eb2dcb24d35a3847e2c166fe352b4dc758962bca67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wzdu0aq1.jlr.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/4208-58-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

Filesize
9.9MB

Download
memory/4208-105-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

Filesize
9.9MB

Download
memory/4208-102-0x0000018724280000-0x0000018724290000-memory.dmp

Filesize
64KB

Download
memory/4208-79-0x0000018724280000-0x0000018724290000-memory.dmp

Filesize
64KB

Download
memory/4208-61-0x0000018724280000-0x0000018724290000-memory.dmp

Filesize
64KB

Download
memory/4208-59-0x0000018724280000-0x0000018724290000-memory.dmp

Filesize
64KB

Download
memory/4516-13-0x000001D833E90000-0x000001D833F06000-memory.dmp

Filesize
472KB

Download
memory/4516-53-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-49-0x000001D81BAC0000-0x000001D81BAD0000-memory.dmp

Filesize
64KB

Download
memory/4516-26-0x000001D81BAC0000-0x000001D81BAD0000-memory.dmp

Filesize
64KB

Download
memory/4516-11-0x000001D81BAC0000-0x000001D81BAD0000-memory.dmp

Filesize
64KB

Download
memory/4516-9-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-6-0x000001D81BCD0000-0x000001D81BCF2000-memory.dmp

Filesize
136KB

Download