08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77

Analysis

max time kernel
142s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77.exe
Size

194KB
MD5

6445cc4a249c95f9a0084262725a7167
SHA1

9e20f8f1c4cd6bb314ecfd9c72a2a2b7be017b0f
SHA256

08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77
SHA512

a9823582121bf0e9e14d1782aa692e7b9350770eb2df77c0d499a42b73b22111ea980895d147018217180b8a6989761adc9e6e9fbe7e8d0b7dc8320d46bc5875
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOf:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	rwmhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\rwmhost.exe	08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77.exe
File opened for modification	C:\Windows\Debug\rwmhost.exe	08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rwmhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rwmhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2536	08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2036	2536	08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77.exe	29
PID 2536 wrote to memory of 2036	2536	08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77.exe	29
PID 2536 wrote to memory of 2036	2536	08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77.exe	29
PID 2536 wrote to memory of 2036	2536	08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77.exe	29

C:\Users\Admin\AppData\Local\Temp\08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77.exe
"C:\Users\Admin\AppData\Local\Temp\08c49bf8a095eae789a7d157c2ade5839807f29bb8b4ec610e54ece822637e77.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\08C49B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2036

C:\Windows\Debug\rwmhost.exe
C:\Windows\Debug\rwmhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\rwmhost.exe

Filesize
194KB

MD5
272b8b27192a8b38fcbd440762762775

SHA1
5c7c06f667ae3bed8a976263b8cb6e9bcce5d797

SHA256
829d36f253c9814ac8bd1744351905767bf7d464b57fccf03afae28546a87e6d

SHA512
0747cf22cc8eee0d5814c10050001ad74b3eb7e92374bf68ef9a26f6b8181fed32e562d80164bafa9d16a2963da95b7d5696d6ac1f1a762036e979e79e30e173

Download Submit