Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2023, 06:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9cf34288dda36ca0b013d6978d1acfe4.exe
Resource
win7-20231215-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
9cf34288dda36ca0b013d6978d1acfe4.exe
Resource
win10v2004-20231215-en
5 signatures
150 seconds
General
-
Target
9cf34288dda36ca0b013d6978d1acfe4.exe
-
Size
743KB
-
MD5
9cf34288dda36ca0b013d6978d1acfe4
-
SHA1
634560fe79683a2019ee75f669e5bff02c1789f7
-
SHA256
a40e1563e9bbc7683cc81adcecdf4450817ad2e18ee8534b85714081a500dd65
-
SHA512
fcf0a8ce71ce9bb1fcba9f14158e8919098dfa75172128bf886bd256216a3b9ef0e44c1ac63177e228fb85522077c8aa1080e2bd415ce29fe341a39dd942f764
-
SSDEEP
12288:GN2pJlOwXBiPzEhmH5lxgZvvXt+FgqQ8t/6SUoWDGxPlh3i4H9ksxUWv:XrZvPQqqQ8tCSQoh3hxd
Score
7/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shield.lnk 9cf34288dda36ca0b013d6978d1acfe4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2488 9cf34288dda36ca0b013d6978d1acfe4.exe 2488 9cf34288dda36ca0b013d6978d1acfe4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2488 9cf34288dda36ca0b013d6978d1acfe4.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2412 2488 9cf34288dda36ca0b013d6978d1acfe4.exe 28 PID 2488 wrote to memory of 2412 2488 9cf34288dda36ca0b013d6978d1acfe4.exe 28 PID 2488 wrote to memory of 2412 2488 9cf34288dda36ca0b013d6978d1acfe4.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cf34288dda36ca0b013d6978d1acfe4.exe"C:\Users\Admin\AppData\Local\Temp\9cf34288dda36ca0b013d6978d1acfe4.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"2⤵PID:2412
-