43d0cd2a2ebaf029a98545e0cd3b0013ae7564fe9e0e19b378e67c8b0737d29e

Resubmissions

07/01/2024, 22:13

240107-15e25afcbr 3

05/01/2024, 08:43

240105-km1ywagebq 3

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vacuum (2) (2).exe
Size

6.0MB
MD5

dc112d6f1dffbd1f1049413a493c41b3
SHA1

3022f9f85d85735b000af193ae766b2576eee537
SHA256

43d0cd2a2ebaf029a98545e0cd3b0013ae7564fe9e0e19b378e67c8b0737d29e
SHA512

e47145277c4731a2ba513b699b2e1a380b7a3733658c2d7719d53a287f4a60f13a66dc8d14688282343dfbe7501d4d81ff71fdceadf012135de0ad5948fc3472
SSDEEP

98304:Yg09C7lJw/kngbjkEksToRep9fTqGAakUNP3e7NpGmtCgGig/XG+AhAXNhFg9e:MY7okn0rxqhak83MPfRQG+3Fgs

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2272	WMIC.exe
Token: SeSecurityPrivilege	2272	WMIC.exe
Token: SeTakeOwnershipPrivilege	2272	WMIC.exe
Token: SeLoadDriverPrivilege	2272	WMIC.exe
Token: SeSystemProfilePrivilege	2272	WMIC.exe
Token: SeSystemtimePrivilege	2272	WMIC.exe
Token: SeProfSingleProcessPrivilege	2272	WMIC.exe
Token: SeIncBasePriorityPrivilege	2272	WMIC.exe
Token: SeCreatePagefilePrivilege	2272	WMIC.exe
Token: SeBackupPrivilege	2272	WMIC.exe
Token: SeRestorePrivilege	2272	WMIC.exe
Token: SeShutdownPrivilege	2272	WMIC.exe
Token: SeDebugPrivilege	2272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2272	WMIC.exe
Token: SeRemoteShutdownPrivilege	2272	WMIC.exe
Token: SeUndockPrivilege	2272	WMIC.exe
Token: SeManageVolumePrivilege	2272	WMIC.exe
Token: 33	2272	WMIC.exe
Token: 34	2272	WMIC.exe
Token: 35	2272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2272	WMIC.exe
Token: SeSecurityPrivilege	2272	WMIC.exe
Token: SeTakeOwnershipPrivilege	2272	WMIC.exe
Token: SeLoadDriverPrivilege	2272	WMIC.exe
Token: SeSystemProfilePrivilege	2272	WMIC.exe
Token: SeSystemtimePrivilege	2272	WMIC.exe
Token: SeProfSingleProcessPrivilege	2272	WMIC.exe
Token: SeIncBasePriorityPrivilege	2272	WMIC.exe
Token: SeCreatePagefilePrivilege	2272	WMIC.exe
Token: SeBackupPrivilege	2272	WMIC.exe
Token: SeRestorePrivilege	2272	WMIC.exe
Token: SeShutdownPrivilege	2272	WMIC.exe
Token: SeDebugPrivilege	2272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2272	WMIC.exe
Token: SeRemoteShutdownPrivilege	2272	WMIC.exe
Token: SeUndockPrivilege	2272	WMIC.exe
Token: SeManageVolumePrivilege	2272	WMIC.exe
Token: 33	2272	WMIC.exe
Token: 34	2272	WMIC.exe
Token: 35	2272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2876	WMIC.exe
Token: SeSecurityPrivilege	2876	WMIC.exe
Token: SeTakeOwnershipPrivilege	2876	WMIC.exe
Token: SeLoadDriverPrivilege	2876	WMIC.exe
Token: SeSystemProfilePrivilege	2876	WMIC.exe
Token: SeSystemtimePrivilege	2876	WMIC.exe
Token: SeProfSingleProcessPrivilege	2876	WMIC.exe
Token: SeIncBasePriorityPrivilege	2876	WMIC.exe
Token: SeCreatePagefilePrivilege	2876	WMIC.exe
Token: SeBackupPrivilege	2876	WMIC.exe
Token: SeRestorePrivilege	2876	WMIC.exe
Token: SeShutdownPrivilege	2876	WMIC.exe
Token: SeDebugPrivilege	2876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2876	WMIC.exe
Token: SeRemoteShutdownPrivilege	2876	WMIC.exe
Token: SeUndockPrivilege	2876	WMIC.exe
Token: SeManageVolumePrivilege	2876	WMIC.exe
Token: 33	2876	WMIC.exe
Token: 34	2876	WMIC.exe
Token: 35	2876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2876	WMIC.exe
Token: SeSecurityPrivilege	2876	WMIC.exe
Token: SeTakeOwnershipPrivilege	2876	WMIC.exe
Token: SeLoadDriverPrivilege	2876	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 3040	2860	Vacuum (2) (2).exe	52
PID 2860 wrote to memory of 3040	2860	Vacuum (2) (2).exe	52
PID 2860 wrote to memory of 3040	2860	Vacuum (2) (2).exe	52
PID 3040 wrote to memory of 2272	3040	cmd.exe	28
PID 3040 wrote to memory of 2272	3040	cmd.exe	28
PID 3040 wrote to memory of 2272	3040	cmd.exe	28
PID 2860 wrote to memory of 2668	2860	Vacuum (2) (2).exe	51
PID 2860 wrote to memory of 2668	2860	Vacuum (2) (2).exe	51
PID 2860 wrote to memory of 2668	2860	Vacuum (2) (2).exe	51
PID 2668 wrote to memory of 2876	2668	cmd.exe	31
PID 2668 wrote to memory of 2876	2668	cmd.exe	31
PID 2668 wrote to memory of 2876	2668	cmd.exe	31
PID 2860 wrote to memory of 2640	2860	Vacuum (2) (2).exe	37
PID 2860 wrote to memory of 2640	2860	Vacuum (2) (2).exe	37
PID 2860 wrote to memory of 2640	2860	Vacuum (2) (2).exe	37
PID 2640 wrote to memory of 2512	2640	cmd.exe	32
PID 2640 wrote to memory of 2512	2640	cmd.exe	32
PID 2640 wrote to memory of 2512	2640	cmd.exe	32
PID 2860 wrote to memory of 2504	2860	Vacuum (2) (2).exe	33
PID 2860 wrote to memory of 2504	2860	Vacuum (2) (2).exe	33
PID 2860 wrote to memory of 2504	2860	Vacuum (2) (2).exe	33
PID 2504 wrote to memory of 2644	2504	cmd.exe	35
PID 2504 wrote to memory of 2644	2504	cmd.exe	35
PID 2504 wrote to memory of 2644	2504	cmd.exe	35
PID 2860 wrote to memory of 2520	2860	Vacuum (2) (2).exe	49
PID 2860 wrote to memory of 2520	2860	Vacuum (2) (2).exe	49
PID 2860 wrote to memory of 2520	2860	Vacuum (2) (2).exe	49
PID 2520 wrote to memory of 2552	2520	cmd.exe	38
PID 2520 wrote to memory of 2552	2520	cmd.exe	38
PID 2520 wrote to memory of 2552	2520	cmd.exe	38
PID 2860 wrote to memory of 2968	2860	Vacuum (2) (2).exe	47
PID 2860 wrote to memory of 2968	2860	Vacuum (2) (2).exe	47
PID 2860 wrote to memory of 2968	2860	Vacuum (2) (2).exe	47
PID 2968 wrote to memory of 2180	2968	cmd.exe	40
PID 2968 wrote to memory of 2180	2968	cmd.exe	40
PID 2968 wrote to memory of 2180	2968	cmd.exe	40
PID 2860 wrote to memory of 2016	2860	Vacuum (2) (2).exe	46
PID 2860 wrote to memory of 2016	2860	Vacuum (2) (2).exe	46
PID 2860 wrote to memory of 2016	2860	Vacuum (2) (2).exe	46
PID 2016 wrote to memory of 948	2016	cmd.exe	44
PID 2016 wrote to memory of 948	2016	cmd.exe	44
PID 2016 wrote to memory of 948	2016	cmd.exe	44
PID 2860 wrote to memory of 2536	2860	Vacuum (2) (2).exe	43
PID 2860 wrote to memory of 2536	2860	Vacuum (2) (2).exe	43
PID 2860 wrote to memory of 2536	2860	Vacuum (2) (2).exe	43
PID 2536 wrote to memory of 1796	2536	cmd.exe	41
PID 2536 wrote to memory of 1796	2536	cmd.exe	41
PID 2536 wrote to memory of 1796	2536	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\Vacuum (2) (2).exe
"C:\Users\Admin\AppData\Local\Temp\Vacuum (2) (2).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C wmic baseboard get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:2644
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C wmic logicaldisk get volumeserialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C wmic baseboard get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C wmic logicaldisk get volumeserialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C wmic CPU get Architecture
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C wmic path Win32_videocontroller get PNPDeviceID
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C wmic CPU get Architecture
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C wmic path Win32_videocontroller get PNPDeviceID
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040

C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_videocontroller get PNPDeviceID
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get Architecture
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get volumeserialnumber
1⤵
PID:2512

C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_videocontroller get PNPDeviceID
1⤵
PID:2552

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get Architecture
1⤵
PID:2180

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
1⤵
PID:1796

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get volumeserialnumber
1⤵
PID:948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2860-0-0x000000013F8B0000-0x000000013FEB0000-memory.dmp

Filesize
6.0MB

Download
memory/2860-1-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2860-2-0x000000001ABD0000-0x000000001ACA4000-memory.dmp

Filesize
848KB

Download
memory/2860-3-0x000000001B9A0000-0x000000001BA20000-memory.dmp

Filesize
512KB

Download
memory/2860-5-0x0000000002230000-0x000000000223A000-memory.dmp

Filesize
40KB

Download
memory/2860-4-0x0000000002230000-0x000000000223A000-memory.dmp

Filesize
40KB

Download
memory/2860-6-0x000000001B9A0000-0x000000001BA20000-memory.dmp

Filesize
512KB

Download
memory/2860-8-0x000000001B9A0000-0x000000001BA20000-memory.dmp

Filesize
512KB

Download
memory/2860-9-0x000000001B8C0000-0x000000001B972000-memory.dmp

Filesize
712KB

Download
memory/2860-10-0x000000001B980000-0x000000001B981000-memory.dmp

Filesize
4KB

Download
memory/2860-7-0x0000000002230000-0x0000000002258000-memory.dmp

Filesize
160KB

Download
memory/2860-11-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2860-12-0x000000001B9A0000-0x000000001BA20000-memory.dmp

Filesize
512KB

Download
memory/2860-13-0x0000000002230000-0x000000000223A000-memory.dmp

Filesize
40KB

Download
memory/2860-14-0x000000001B9A0000-0x000000001BA20000-memory.dmp

Filesize
512KB

Download
memory/2860-15-0x000000001B9A0000-0x000000001BA20000-memory.dmp

Filesize
512KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads