45304df66ae26f24a75731abbab292eb112f15fae33f7cea073a09203439fc0c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85d7261abe81a306c834e86e5985c4b4.exe
Size

20KB
MD5

85d7261abe81a306c834e86e5985c4b4
SHA1

88a62461914fe7c8f9ce7bfb92bc3d6f76071f34
SHA256

45304df66ae26f24a75731abbab292eb112f15fae33f7cea073a09203439fc0c
SHA512

cecf4e7e032d0d01feb42b02a8bcbe95155103f9204f3ddbcd0d1d4fe4ebec847bc7d68b4e845c2ed9b6954438324917b69195a81c5b5234f800b4225d741821
SSDEEP

384:x/oe8zdTyBsyqAIZhgfxKRVpo7H5R3T4pwf1hhhJ2VbCrzW0XWkVbZb7OF:8WsyqAggfdzkqb4iHFIF

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2212	85d7261abe81a306c834e86e5985c4b4.exe
2212	85d7261abe81a306c834e86e5985c4b4.exe
2212	85d7261abe81a306c834e86e5985c4b4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	85d7261abe81a306c834e86e5985c4b4.exe
Token: SeSystemtimePrivilege	2212	85d7261abe81a306c834e86e5985c4b4.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 240	2212	85d7261abe81a306c834e86e5985c4b4.exe	28
PID 2212 wrote to memory of 240	2212	85d7261abe81a306c834e86e5985c4b4.exe	28
PID 2212 wrote to memory of 240	2212	85d7261abe81a306c834e86e5985c4b4.exe	28
PID 2212 wrote to memory of 240	2212	85d7261abe81a306c834e86e5985c4b4.exe	28
PID 2212 wrote to memory of 240	2212	85d7261abe81a306c834e86e5985c4b4.exe	28
PID 2212 wrote to memory of 240	2212	85d7261abe81a306c834e86e5985c4b4.exe	28
PID 2212 wrote to memory of 240	2212	85d7261abe81a306c834e86e5985c4b4.exe	28
PID 2212 wrote to memory of 2516	2212	85d7261abe81a306c834e86e5985c4b4.exe	30
PID 2212 wrote to memory of 2516	2212	85d7261abe81a306c834e86e5985c4b4.exe	30
PID 2212 wrote to memory of 2516	2212	85d7261abe81a306c834e86e5985c4b4.exe	30
PID 2212 wrote to memory of 2516	2212	85d7261abe81a306c834e86e5985c4b4.exe	30
PID 2212 wrote to memory of 2516	2212	85d7261abe81a306c834e86e5985c4b4.exe	30
PID 2212 wrote to memory of 2516	2212	85d7261abe81a306c834e86e5985c4b4.exe	30
PID 2212 wrote to memory of 2516	2212	85d7261abe81a306c834e86e5985c4b4.exe	30
PID 2212 wrote to memory of 3048	2212	85d7261abe81a306c834e86e5985c4b4.exe	32
PID 2212 wrote to memory of 3048	2212	85d7261abe81a306c834e86e5985c4b4.exe	32
PID 2212 wrote to memory of 3048	2212	85d7261abe81a306c834e86e5985c4b4.exe	32
PID 2212 wrote to memory of 3048	2212	85d7261abe81a306c834e86e5985c4b4.exe	32
PID 2212 wrote to memory of 3048	2212	85d7261abe81a306c834e86e5985c4b4.exe	32
PID 2212 wrote to memory of 3048	2212	85d7261abe81a306c834e86e5985c4b4.exe	32
PID 2212 wrote to memory of 3048	2212	85d7261abe81a306c834e86e5985c4b4.exe	32
PID 2212 wrote to memory of 1164	2212	85d7261abe81a306c834e86e5985c4b4.exe	34
PID 2212 wrote to memory of 1164	2212	85d7261abe81a306c834e86e5985c4b4.exe	34
PID 2212 wrote to memory of 1164	2212	85d7261abe81a306c834e86e5985c4b4.exe	34
PID 2212 wrote to memory of 1164	2212	85d7261abe81a306c834e86e5985c4b4.exe	34
PID 2212 wrote to memory of 1164	2212	85d7261abe81a306c834e86e5985c4b4.exe	34
PID 2212 wrote to memory of 1164	2212	85d7261abe81a306c834e86e5985c4b4.exe	34
PID 2212 wrote to memory of 1164	2212	85d7261abe81a306c834e86e5985c4b4.exe	34
PID 2212 wrote to memory of 2800	2212	85d7261abe81a306c834e86e5985c4b4.exe	36
PID 2212 wrote to memory of 2800	2212	85d7261abe81a306c834e86e5985c4b4.exe	36
PID 2212 wrote to memory of 2800	2212	85d7261abe81a306c834e86e5985c4b4.exe	36
PID 2212 wrote to memory of 2800	2212	85d7261abe81a306c834e86e5985c4b4.exe	36
PID 2212 wrote to memory of 2800	2212	85d7261abe81a306c834e86e5985c4b4.exe	36
PID 2212 wrote to memory of 2800	2212	85d7261abe81a306c834e86e5985c4b4.exe	36
PID 2212 wrote to memory of 2800	2212	85d7261abe81a306c834e86e5985c4b4.exe	36
PID 2212 wrote to memory of 2948	2212	85d7261abe81a306c834e86e5985c4b4.exe	38
PID 2212 wrote to memory of 2948	2212	85d7261abe81a306c834e86e5985c4b4.exe	38
PID 2212 wrote to memory of 2948	2212	85d7261abe81a306c834e86e5985c4b4.exe	38
PID 2212 wrote to memory of 2948	2212	85d7261abe81a306c834e86e5985c4b4.exe	38
PID 2212 wrote to memory of 2948	2212	85d7261abe81a306c834e86e5985c4b4.exe	38
PID 2212 wrote to memory of 2948	2212	85d7261abe81a306c834e86e5985c4b4.exe	38
PID 2212 wrote to memory of 2948	2212	85d7261abe81a306c834e86e5985c4b4.exe	38
PID 2212 wrote to memory of 2852	2212	85d7261abe81a306c834e86e5985c4b4.exe	40
PID 2212 wrote to memory of 2852	2212	85d7261abe81a306c834e86e5985c4b4.exe	40
PID 2212 wrote to memory of 2852	2212	85d7261abe81a306c834e86e5985c4b4.exe	40
PID 2212 wrote to memory of 2852	2212	85d7261abe81a306c834e86e5985c4b4.exe	40
PID 2212 wrote to memory of 2852	2212	85d7261abe81a306c834e86e5985c4b4.exe	40
PID 2212 wrote to memory of 2852	2212	85d7261abe81a306c834e86e5985c4b4.exe	40
PID 2212 wrote to memory of 2852	2212	85d7261abe81a306c834e86e5985c4b4.exe	40
PID 2212 wrote to memory of 2592	2212	85d7261abe81a306c834e86e5985c4b4.exe	42
PID 2212 wrote to memory of 2592	2212	85d7261abe81a306c834e86e5985c4b4.exe	42
PID 2212 wrote to memory of 2592	2212	85d7261abe81a306c834e86e5985c4b4.exe	42
PID 2212 wrote to memory of 2592	2212	85d7261abe81a306c834e86e5985c4b4.exe	42
PID 2212 wrote to memory of 2592	2212	85d7261abe81a306c834e86e5985c4b4.exe	42
PID 2212 wrote to memory of 2592	2212	85d7261abe81a306c834e86e5985c4b4.exe	42
PID 2212 wrote to memory of 2592	2212	85d7261abe81a306c834e86e5985c4b4.exe	42

C:\Users\Admin\AppData\Local\Temp\85d7261abe81a306c834e86e5985c4b4.exe
"C:\Users\Admin\AppData\Local\Temp\85d7261abe81a306c834e86e5985c4b4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\packet.dll /e /p everyone:f
  2⤵
  PID:240
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\pthreadVC.dll /e /p everyone:f
  2⤵
  PID:2516
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  PID:3048
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  PID:1164
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\npptools.dll /e /p everyone:f
  2⤵
  PID:2800
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\drivers\acpidisk.sys /e /p everyone:f
  2⤵
  PID:2948
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\wanpacket.dll /e /p everyone:f
  2⤵
  PID:2852
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
  2⤵
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2212-0-0x0000000013140000-0x000000001314B000-memory.dmp

Filesize
44KB

Download
memory/2212-3-0x0000000013140000-0x000000001314B000-memory.dmp

Filesize
44KB

Download
memory/2212-2-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2212-1-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download