397dd6ecd93a3b4d896fcf3af189dcd51a98c6504c11639af6587aa017f3f607

Analysis

max time kernel
1s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Blank-Admin1.rar.exe
Size

9.9MB
MD5

a3c355791a32902bd88f5a42a284f104
SHA1

c1efe9959317a7cb3fdc011ad07fa5e97e80910e
SHA256

397dd6ecd93a3b4d896fcf3af189dcd51a98c6504c11639af6587aa017f3f607
SHA512

fa07f2ab6255cc4e9e2a5020f6dbd5291aa07e92247c7ca7c0a92503afb4c446f721cfcbe9ee15509eeb0694e919523b3a55d5eb36df6d00f5a2e2cb2bbfcd67
SSDEEP

196608:eVXGX180p6gdfRrxbAQvVwejuJDUX47dwdW0ZW9B/9Uujcsl16V1N5Mr:JXxfRrxNaUX47d4h69NjXsHy

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 40 IoCs

pid	Process
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe
3416	Blank-Admin1.rar.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	api.ipify.org
12	api.ipify.org
13	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3664	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	tasklist.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 3416	1532	Blank-Admin1.rar.exe	26
PID 1532 wrote to memory of 3416	1532	Blank-Admin1.rar.exe	26
PID 3416 wrote to memory of 3824	3416	Blank-Admin1.rar.exe	31
PID 3416 wrote to memory of 3824	3416	Blank-Admin1.rar.exe	31
PID 3824 wrote to memory of 3664	3824	cmd.exe	30
PID 3824 wrote to memory of 3664	3824	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\Blank-Admin1.rar.exe
"C:\Users\Admin\AppData\Local\Temp\Blank-Admin1.rar.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\Blank-Admin1.rar.exe
  "C:\Users\Admin\AppData\Local\Temp\Blank-Admin1.rar.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3824

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads