f033a6414a233485e972c1705b6ebf9d79bee14f16af8e729761f1c7af7c3b9f

Analysis

max time kernel
26s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46241fa1054b7d803c8ce1dd03976990.exe
Size

315KB
MD5

46241fa1054b7d803c8ce1dd03976990
SHA1

adbca2e37c56354c91fc8c4fc53b23c32bac5a73
SHA256

f033a6414a233485e972c1705b6ebf9d79bee14f16af8e729761f1c7af7c3b9f
SHA512

30ecc8110ced3220fcdecaeab8469e6d2d97c789225e6c0381d483e427c2b90c01700dea6f11b02529903460025dc9200542237e11ff0061ed38459bba2bb4f8
SSDEEP

3072:PjxBvj9C3/KMUt02JHabMlTBvj9CJ/KMOov:rLjuJU0CGGxjeJ5v

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	whatismyip.com

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3640	46241fa1054b7d803c8ce1dd03976990.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	46241fa1054b7d803c8ce1dd03976990.exe
Token: SeBackupPrivilege	5032	dw20.exe
Token: SeBackupPrivilege	5032	dw20.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe
3640	46241fa1054b7d803c8ce1dd03976990.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 5032	3640	46241fa1054b7d803c8ce1dd03976990.exe	103
PID 3640 wrote to memory of 5032	3640	46241fa1054b7d803c8ce1dd03976990.exe	103

C:\Users\Admin\AppData\Local\Temp\46241fa1054b7d803c8ce1dd03976990.exe
"C:\Users\Admin\AppData\Local\Temp\46241fa1054b7d803c8ce1dd03976990.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 2348
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3640-0-0x000000001B500000-0x000000001B5A6000-memory.dmp

Filesize
664KB

Download
memory/3640-1-0x00007FFEA6E50000-0x00007FFEA77F1000-memory.dmp

Filesize
9.6MB

Download
memory/3640-3-0x000000001BAE0000-0x000000001BFAE000-memory.dmp

Filesize
4.8MB

Download
memory/3640-5-0x000000001C050000-0x000000001C0EC000-memory.dmp

Filesize
624KB

Download
memory/3640-4-0x00007FFEA6E50000-0x00007FFEA77F1000-memory.dmp

Filesize
9.6MB

Download
memory/3640-7-0x000000001C190000-0x000000001C1DC000-memory.dmp

Filesize
304KB

Download
memory/3640-6-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/3640-2-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3640-8-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3640-9-0x000000001D2B0000-0x000000001D312000-memory.dmp

Filesize
392KB

Download
memory/3640-10-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3640-12-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3640-11-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3640-13-0x00007FFEA6E50000-0x00007FFEA77F1000-memory.dmp

Filesize
9.6MB

Download
memory/3640-14-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3640-15-0x00007FFEA6E50000-0x00007FFEA77F1000-memory.dmp

Filesize
9.6MB

Download
memory/3640-16-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3640-17-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3640-18-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3640-21-0x0000000020060000-0x0000000020160000-memory.dmp

Filesize
1024KB

Download
memory/3640-20-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3640-28-0x00007FFEA6E50000-0x00007FFEA77F1000-memory.dmp

Filesize
9.6MB

Download
memory/3640-19-0x0000000020060000-0x0000000020160000-memory.dmp

Filesize
1024KB

Download