4419415dffa5c427d65cf8d0367d07303c5d932823fdf6c62f60929d6d35eb72

Analysis

max time kernel
144s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

535KB
MD5

0af0403435aa81cb0066833a493bb2bd
SHA1

bbe32b64576652959d511ebb91ab8078a2481c0f
SHA256

4419415dffa5c427d65cf8d0367d07303c5d932823fdf6c62f60929d6d35eb72
SHA512

2f6c68d72451ecb620382f4c6f36a508fb4b2e24faf96e6698dd63c0bb68ac64140cba49a991b1df36c53982eca7ccd7230a6add97a990d2ab94a60a579707bc
SSDEEP

12288:Oz/mbW5bWKISUKyDXlzeJSBjpfMkwwfwD52n:+ubW5bWKIFLX5ewC52n

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2288	tmp.exe
2288	tmp.exe
2208	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	tmp.exe
Token: SeDebugPrivilege	2208	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2208	2288	tmp.exe	29
PID 2288 wrote to memory of 2208	2288	tmp.exe	29
PID 2288 wrote to memory of 2208	2288	tmp.exe	29

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
169B

MD5
f260d997847031123b867315e786a3d6

SHA1
615bbfa05aa7eb9ae9fe02ebf757265d76a08a5a

SHA256
26c9afc6ec388c82deb202d2fdb8851eb5a1f8c612d134f7d930ddc78f59a60b

SHA512
a8fc78cd1d98dba42710bb2fc4a6678957dc0d90c9d7b3a6856b0c4ed833b49cd720e4cc8991a37fbcff0a79beb2254bbbbdf3a513c9a1e153d47f837c94e579

Download Submit
memory/2208-21-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2208-24-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/2208-27-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2208-25-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/2208-26-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/2208-19-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2208-22-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/2208-20-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/2208-23-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-2-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-0-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-14-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download
memory/2288-1-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download
memory/2288-3-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download
memory/2288-30-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download
memory/2288-31-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-32-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download