Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 00:09

General

  • Target

    2125bf2b30050fb981357d998968ed50.exe

  • Size

    10KB

  • MD5

    2125bf2b30050fb981357d998968ed50

  • SHA1

    7152359f75b98e9eb96ef35ea720eeaf4c028b8a

  • SHA256

    34ac353f82317c69f040b864de17c8c7b23f71ae2c1f98e05d8f9c26e7466183

  • SHA512

    9fbd73e6e85f6c85e18fd9477f6d798831de8495764b424224ee3dabd5d20654fef6826d32d553269eb28898b2ed0188d09d30ffe15937d5bf4e04d1fe314a5c

  • SSDEEP

    192:IOjHx/GOuPoM3qkCAvMP78N4YIT3xBsx/RkSOAdsvtFcxNGf7C:LF/GOugWBZMPy4HL/4/rTsvtFHC

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3532
      • C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe
        "C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\Windows\cmdbcs.exe
          C:\Windows\cmdbcs.exe @C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe@4908
          3⤵
          • Deletes itself
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:836

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\cmdbcs.exe

      Filesize

      10KB

      MD5

      2125bf2b30050fb981357d998968ed50

      SHA1

      7152359f75b98e9eb96ef35ea720eeaf4c028b8a

      SHA256

      34ac353f82317c69f040b864de17c8c7b23f71ae2c1f98e05d8f9c26e7466183

      SHA512

      9fbd73e6e85f6c85e18fd9477f6d798831de8495764b424224ee3dabd5d20654fef6826d32d553269eb28898b2ed0188d09d30ffe15937d5bf4e04d1fe314a5c

    • memory/836-6-0x00000000001C0000-0x0000000000200000-memory.dmp

      Filesize

      256KB

    • memory/4908-0-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

    • memory/4908-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB

    • memory/4908-7-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB