78dd3c056a5bd339ed8ea9a680526936e4ecf8ed70caae8ead4ac0b32248b7a0

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 14:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SJ.IROOT.exe
Size

408KB
MD5

35b6d933c1ff2be2e9f3f399b8ea7e2a
SHA1

6ba2e9470d9c1f0740ebac28ce9b569ae1b90a5d
SHA256

0c5b928f8080d26dab92bb125eb629458575c7cf4e6e8e1c4395cc5d82680ccd
SHA512

9a05d7c2898c4e5986e81ade0526984a9a628b3d328affc4cbc18ebcb37f555441fa9d35264322dca23862bbb9974db5a2047c75b7ba58ae2e7394c21a402893
SSDEEP

12288:R3yRKJMu+FC/92+JWN6UB382B2Ujsur2Ceinhk5f:ZyJF7+JWN6UR4i2Ceinhk5f

Score

1^/10

Malware Config

Signatures

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1184	NETSTAT.EXE
3316	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3324	SJ.IROOT.exe
Token: SeDebugPrivilege	3316	NETSTAT.EXE
Token: SeDebugPrivilege	1184	NETSTAT.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 4544	3324	SJ.IROOT.exe	99
PID 3324 wrote to memory of 4544	3324	SJ.IROOT.exe	99
PID 3324 wrote to memory of 4544	3324	SJ.IROOT.exe	99
PID 4544 wrote to memory of 3316	4544	cmd.exe	98
PID 4544 wrote to memory of 3316	4544	cmd.exe	98
PID 4544 wrote to memory of 3316	4544	cmd.exe	98
PID 4544 wrote to memory of 372	4544	cmd.exe	97
PID 4544 wrote to memory of 372	4544	cmd.exe	97
PID 4544 wrote to memory of 372	4544	cmd.exe	97
PID 3324 wrote to memory of 1204	3324	SJ.IROOT.exe	96
PID 3324 wrote to memory of 1204	3324	SJ.IROOT.exe	96
PID 3324 wrote to memory of 1204	3324	SJ.IROOT.exe	96
PID 1204 wrote to memory of 1184	1204	cmd.exe	95
PID 1204 wrote to memory of 1184	1204	cmd.exe	95
PID 1204 wrote to memory of 1184	1204	cmd.exe	95
PID 1204 wrote to memory of 64	1204	cmd.exe	94
PID 1204 wrote to memory of 64	1204	cmd.exe	94
PID 1204 wrote to memory of 64	1204	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\SJ.IROOT.exe
"C:\Users\Admin\AppData\Local\Temp\SJ.IROOT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4544

C:\Windows\SysWOW64\findstr.exe
findstr "5037"
1⤵
PID:64

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -ano
1⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\findstr.exe
findstr "5037"
1⤵
PID:372

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -ano
1⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3324-0-0x0000000000750000-0x00000000007BE000-memory.dmp

Filesize
440KB

Download
memory/3324-1-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/3324-2-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3324-3-0x0000000005010000-0x0000000005044000-memory.dmp

Filesize
208KB

Download
memory/3324-5-0x00000000055C0000-0x00000000055EA000-memory.dmp

Filesize
168KB

Download
memory/3324-4-0x0000000005080000-0x00000000050AA000-memory.dmp

Filesize
168KB

Download
memory/3324-6-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3324-7-0x0000000005CF0000-0x0000000005D2C000-memory.dmp

Filesize
240KB

Download
memory/3324-8-0x0000000005EE0000-0x0000000005F32000-memory.dmp

Filesize
328KB

Download
memory/3324-10-0x0000000009C50000-0x0000000009C5E000-memory.dmp

Filesize
56KB

Download
memory/3324-11-0x000000000AF40000-0x000000000AFA6000-memory.dmp

Filesize
408KB

Download
memory/3324-9-0x0000000009C70000-0x0000000009CA8000-memory.dmp

Filesize
224KB

Download
memory/3324-13-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/3324-14-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3324-15-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download