fa679f8844ab283168f56247764b5e44cddd0aad6aea878fb213b80b54d51ce4

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vaultFile11542278852936095360.exe
Size

209KB
MD5

2c728b8d169a71f995b2b06f70e1949c
SHA1

566799671a67ade9ac1319ee9c9526798afd8aeb
SHA256

fa679f8844ab283168f56247764b5e44cddd0aad6aea878fb213b80b54d51ce4
SHA512

cc07d587e64982232570cb7b7fdc858a449cdb1fc268a0954d69d2a90b4fcf3e73d0c44706d9533d7d4e8d2ad977f06819459711b22604615039b181370af707
SSDEEP

3072:p86dHxGNd5E9o7lOCET1NNAhTtaWmZzFfokt+F9EepWL2tI2b3UH8XAwKYEJ:plJ4Nwo7lOpT2hkWGzxU7pBwHSXEJ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1048	WScript.exe
4	1048	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2640	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1048	2044	vaultFile11542278852936095360.exe	28
PID 2044 wrote to memory of 1048	2044	vaultFile11542278852936095360.exe	28
PID 2044 wrote to memory of 1048	2044	vaultFile11542278852936095360.exe	28
PID 2044 wrote to memory of 1048	2044	vaultFile11542278852936095360.exe	28
PID 1048 wrote to memory of 2640	1048	WScript.exe	29
PID 1048 wrote to memory of 2640	1048	WScript.exe	29
PID 1048 wrote to memory of 2640	1048	WScript.exe	29
PID 1048 wrote to memory of 2640	1048	WScript.exe	29

C:\Users\Admin\AppData\Local\Temp\vaultFile11542278852936095360.exe
"C:\Users\Admin\AppData\Local\Temp\vaultFile11542278852936095360.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /im xmrig.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winlog.vbs

Filesize
5KB

MD5
406ef562a1ed4e5ae5a3da786511e016

SHA1
8e440da9b8c0fa43e764854dfd84ac9e622fa82e

SHA256
25aac05954d8717268c556f0708c69b6df5279c46f44b05c03308333f8e57cf1

SHA512
2cf0ac454119d9ac24e9893796779ee476fe85b30b43d654dce1d7b8241d76431e6d22efd21a31fe6404762bc39cec7ad93549ac93cea225ef82a1d0da5a788e

Download Submit