500a5a74fab0362b502ee3d9aec2d787727789154f575f9e7201be1e42ca40be

Analysis

max time kernel
12s
max time network
16s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 13:59

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

3d093990c8247bd1618260cb8cb300c8.exe
Size

24KB
MD5

3d093990c8247bd1618260cb8cb300c8
SHA1

ac8e967ebb0725223f64078d256bb3d7dc2e49e9
SHA256

500a5a74fab0362b502ee3d9aec2d787727789154f575f9e7201be1e42ca40be
SHA512

0e3130afca9feaf491241acecf1d66569203ad182dd08a2e448fddd4d92bb11b4990a71a09e18e02df23984c5a04f481f489bb1c686fd9df757e7633e8e0158e
SSDEEP

192:9WzogssbCxu/KLWhSJZMGaPFY68w3mqea1Iwl+xiXnR8apIr6tdV5vfH7wDArGOB:O56LmSJZM7bxbhYrSlvfHkwGOA6

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1856	3d093990c8247bd1618260cb8cb300c8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1856	3d093990c8247bd1618260cb8cb300c8.exe
Token: SeIncBasePriorityPrivilege	1856	3d093990c8247bd1618260cb8cb300c8.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1856	3d093990c8247bd1618260cb8cb300c8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2680	1856	3d093990c8247bd1618260cb8cb300c8.exe	29
PID 1856 wrote to memory of 2680	1856	3d093990c8247bd1618260cb8cb300c8.exe	29
PID 1856 wrote to memory of 2680	1856	3d093990c8247bd1618260cb8cb300c8.exe	29
PID 1856 wrote to memory of 2680	1856	3d093990c8247bd1618260cb8cb300c8.exe	29

C:\Users\Admin\AppData\Local\Temp\3d093990c8247bd1618260cb8cb300c8.exe
"C:\Users\Admin\AppData\Local\Temp\3d093990c8247bd1618260cb8cb300c8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3D0939~1.EXE > nul
  2⤵
  PID:2680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3064-0-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download