4419415dffa5c427d65cf8d0367d07303c5d932823fdf6c62f60929d6d35eb72

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

535KB
MD5

0af0403435aa81cb0066833a493bb2bd
SHA1

bbe32b64576652959d511ebb91ab8078a2481c0f
SHA256

4419415dffa5c427d65cf8d0367d07303c5d932823fdf6c62f60929d6d35eb72
SHA512

2f6c68d72451ecb620382f4c6f36a508fb4b2e24faf96e6698dd63c0bb68ac64140cba49a991b1df36c53982eca7ccd7230a6add97a990d2ab94a60a579707bc
SSDEEP

12288:Oz/mbW5bWKISUKyDXlzeJSBjpfMkwwfwD52n:+ubW5bWKIFLX5ewC52n

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2544	tmp.exe
2544	tmp.exe
5076	powershell.exe
5076	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	tmp.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeManageVolumePrivilege	4580	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 5076	2544	tmp.exe	42
PID 2544 wrote to memory of 5076	2544	tmp.exe	42

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdkiot2z.ssl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
169B

MD5
f260d997847031123b867315e786a3d6

SHA1
615bbfa05aa7eb9ae9fe02ebf757265d76a08a5a

SHA256
26c9afc6ec388c82deb202d2fdb8851eb5a1f8c612d134f7d930ddc78f59a60b

SHA512
a8fc78cd1d98dba42710bb2fc4a6678957dc0d90c9d7b3a6856b0c4ed833b49cd720e4cc8991a37fbcff0a79beb2254bbbbdf3a513c9a1e153d47f837c94e579

Download Submit
memory/2544-40-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/2544-2-0x000000001B820000-0x000000001BCEE000-memory.dmp

Filesize
4.8MB

Download
memory/2544-3-0x00007FF860660000-0x00007FF861001000-memory.dmp

Filesize
9.6MB

Download
memory/2544-5-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/2544-7-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/2544-6-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/2544-1-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/2544-39-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/2544-0-0x00007FF860660000-0x00007FF861001000-memory.dmp

Filesize
9.6MB

Download
memory/2544-37-0x00007FF860660000-0x00007FF861001000-memory.dmp

Filesize
9.6MB

Download
memory/2544-4-0x000000001B220000-0x000000001B2BC000-memory.dmp

Filesize
624KB

Download
memory/2544-38-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/2544-36-0x00007FF860660000-0x00007FF861001000-memory.dmp

Filesize
9.6MB

Download
memory/4580-57-0x000001FC06340000-0x000001FC06350000-memory.dmp

Filesize
64KB

Download
memory/4580-73-0x000001FC0E6A0000-0x000001FC0E6A1000-memory.dmp

Filesize
4KB

Download
memory/4580-75-0x000001FC0E6D0000-0x000001FC0E6D1000-memory.dmp

Filesize
4KB

Download
memory/4580-76-0x000001FC0E6D0000-0x000001FC0E6D1000-memory.dmp

Filesize
4KB

Download
memory/4580-77-0x000001FC0E7E0000-0x000001FC0E7E1000-memory.dmp

Filesize
4KB

Download
memory/5076-18-0x0000020E68F70000-0x0000020E68F92000-memory.dmp

Filesize
136KB

Download
memory/5076-29-0x0000020E67670000-0x0000020E67680000-memory.dmp

Filesize
64KB

Download
memory/5076-28-0x00007FF85D530000-0x00007FF85DFF1000-memory.dmp

Filesize
10.8MB

Download
memory/5076-30-0x0000020E67670000-0x0000020E67680000-memory.dmp

Filesize
64KB

Download
memory/5076-33-0x00007FF85D530000-0x00007FF85DFF1000-memory.dmp

Filesize
10.8MB

Download