34ae2caccb715a14cf00fb02408129b6d41866840ef506e62c27bd74e3463a76

Analysis

max time kernel
1s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05372c03964f5518f75f4437ec3bc43e.exe
Size

24KB
MD5

05372c03964f5518f75f4437ec3bc43e
SHA1

125b39aeea6cf86b83b33749df1ed87a12ea87d8
SHA256

34ae2caccb715a14cf00fb02408129b6d41866840ef506e62c27bd74e3463a76
SHA512

96cb061a13099f996d9110337fd4643f58db009d0cff584a8368f1bcdff4299f6f0161583718f4320371db57be6aad44af8a395d8516be0fd67b2a38e247a938
SSDEEP

768:S6X7x2WJl0hDdwyTY/9fqaUoKWjdwD33e9XtvWsrAF:S6l2W/0hDCiwysKWj99/a

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5052	05372c03964f5518f75f4437ec3bc43e.exe
5052	05372c03964f5518f75f4437ec3bc43e.exe
5052	05372c03964f5518f75f4437ec3bc43e.exe
5052	05372c03964f5518f75f4437ec3bc43e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	05372c03964f5518f75f4437ec3bc43e.exe
Token: SeSystemtimePrivilege	5052	05372c03964f5518f75f4437ec3bc43e.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 2568	5052	05372c03964f5518f75f4437ec3bc43e.exe	38
PID 5052 wrote to memory of 2568	5052	05372c03964f5518f75f4437ec3bc43e.exe	38
PID 5052 wrote to memory of 2568	5052	05372c03964f5518f75f4437ec3bc43e.exe	38
PID 2568 wrote to memory of 948	2568	cmd.exe	37
PID 2568 wrote to memory of 948	2568	cmd.exe	37
PID 2568 wrote to memory of 948	2568	cmd.exe	37
PID 948 wrote to memory of 1336	948	net.exe	20
PID 948 wrote to memory of 1336	948	net.exe	20
PID 948 wrote to memory of 1336	948	net.exe	20
PID 5052 wrote to memory of 3264	5052	05372c03964f5518f75f4437ec3bc43e.exe	21
PID 5052 wrote to memory of 3264	5052	05372c03964f5518f75f4437ec3bc43e.exe	21
PID 5052 wrote to memory of 3264	5052	05372c03964f5518f75f4437ec3bc43e.exe	21
PID 3264 wrote to memory of 3192	3264	cmd.exe	22
PID 3264 wrote to memory of 3192	3264	cmd.exe	22
PID 3264 wrote to memory of 3192	3264	cmd.exe	22
PID 3192 wrote to memory of 2124	3192	net.exe	35
PID 3192 wrote to memory of 2124	3192	net.exe	35
PID 3192 wrote to memory of 2124	3192	net.exe	35
PID 5052 wrote to memory of 4752	5052	05372c03964f5518f75f4437ec3bc43e.exe	34
PID 5052 wrote to memory of 4752	5052	05372c03964f5518f75f4437ec3bc43e.exe	34
PID 5052 wrote to memory of 4752	5052	05372c03964f5518f75f4437ec3bc43e.exe	34
PID 4752 wrote to memory of 4224	4752	cmd.exe	33
PID 4752 wrote to memory of 4224	4752	cmd.exe	33
PID 4752 wrote to memory of 4224	4752	cmd.exe	33
PID 4224 wrote to memory of 4836	4224	net.exe	24
PID 4224 wrote to memory of 4836	4224	net.exe	24
PID 4224 wrote to memory of 4836	4224	net.exe	24
PID 5052 wrote to memory of 4860	5052	05372c03964f5518f75f4437ec3bc43e.exe	32
PID 5052 wrote to memory of 4860	5052	05372c03964f5518f75f4437ec3bc43e.exe	32
PID 5052 wrote to memory of 4860	5052	05372c03964f5518f75f4437ec3bc43e.exe	32
PID 4860 wrote to memory of 2240	4860	cmd.exe	31
PID 4860 wrote to memory of 2240	4860	cmd.exe	31
PID 4860 wrote to memory of 2240	4860	cmd.exe	31
PID 2240 wrote to memory of 3280	2240	net.exe	26
PID 2240 wrote to memory of 3280	2240	net.exe	26
PID 2240 wrote to memory of 3280	2240	net.exe	26

C:\Users\Admin\AppData\Local\Temp\05372c03964f5518f75f4437ec3bc43e.exe
"C:\Users\Admin\AppData\Local\Temp\05372c03964f5518f75f4437ec3bc43e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KWhatchsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\SysWOW64\net.exe
    net stop KWhatchsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KWhatchsvc
      4⤵
      PID:2124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Norton AntiVirus Server"
  2⤵
  PID:3848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "McAfee Framework ·þÎñ"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KPfwSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop McShield
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- C:\Windows\SysWOW64\360safe.pif
  C:\Windows\system32\360safe.pif
  2⤵
  PID:2740
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f
  2⤵
  PID:2268
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f
  2⤵
  PID:4612
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  PID:2176
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  PID:1624
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
  2⤵
  PID:216
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f
  2⤵
  PID:116
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f
  2⤵
  PID:1692
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
  2⤵
  PID:3676
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4268
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4268 CREDAT:17410 /prefetch:2
    3⤵
    PID:4004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield
1⤵
PID:1336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KPfwSvc
1⤵
PID:4836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"
1⤵
PID:3280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Norton AntiVirus Server"
1⤵
PID:3384

C:\Windows\SysWOW64\net.exe
net stop "Norton AntiVirus Server"
1⤵
PID:2396

C:\Windows\SysWOW64\net.exe
net stop "McAfee Framework ·þÎñ"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\net.exe
net stop KPfwSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\net.exe
net stop McShield
1⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
PID:332
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:332 CREDAT:17410 /prefetch:2
  2⤵
  PID:3908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{92707C53-1BD2-11D7-8185-5A16FF4F52D9}.dat

Filesize
5KB

MD5
cc80019b632b7885b604d4634cf75022

SHA1
846ef4d333513735236b1032122f7631dbf9181f

SHA256
f116da1dafc314cf5cd571e06e7d228d3668c360558be1d612073317d8dcc576

SHA512
b1b539a33984ac1e53665a15437c64ca3237f90af40a0a8fc304699c84ec94173becb25898df1816fab06b91f930d6733e2dbab6c9c83294d7be902583116d93

Download Submit
C:\Windows\SysWOW64\360safe.pif

Filesize
4KB

MD5
21030b4622c2d5fa072346e408c71918

SHA1
9687c92d5afb5a342a9afa8e34a451d8724c84bc

SHA256
0a115ea56b1eaa9c9f26302027dcc6f788156eae9f346fc6fe74dd877193f701

SHA512
915150eff3679d7cc2d7915de1bf91396b9db30716ac796b89f7d49484383a5ab1cdd815faec5b1004d438126e7f1560737b7b9f8c35efb5b3d8abf9304deda4

Download Submit
memory/5052-0-0x0000000013140000-0x000000001315B000-memory.dmp

Filesize
108KB

Download
memory/5052-1-0x0000000002140000-0x0000000002240000-memory.dmp

Filesize
1024KB

Download
memory/5052-6-0x0000000013140000-0x000000001315B000-memory.dmp

Filesize
108KB

Download
memory/5052-7-0x0000000002140000-0x0000000002240000-memory.dmp

Filesize
1024KB

Download