Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/02/2024, 13:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86f83b70d1aa64929c8b89bed5c84f3f.exe
Resource
win7-20231215-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
86f83b70d1aa64929c8b89bed5c84f3f.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
86f83b70d1aa64929c8b89bed5c84f3f.exe
-
Size
14KB
-
MD5
86f83b70d1aa64929c8b89bed5c84f3f
-
SHA1
afd398b63b3fe2191adf9721aececd9c2728b029
-
SHA256
0979c50283bc2ac3b15100d23526b100f6742937479a3b70d7a455a94937652a
-
SHA512
a0bb4c9c6ea1e7bef4d30556bacc56cfdf7073a5aa9de557edff0e87150e28f73472adb71b35696af261ba74e64580ff26daebaccae90d6fbeea9937ba4ab19d
-
SSDEEP
384:0WkoWNVbZb7OC/zK2vDW935y3f32Wdev4U0L4iCs/Thp:y/FIaO2M3ov2WdLJbf
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe Token: SeSystemtimePrivilege 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2192 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 28 PID 2156 wrote to memory of 2192 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 28 PID 2156 wrote to memory of 2192 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 28 PID 2156 wrote to memory of 2192 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 28 PID 2156 wrote to memory of 2192 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 28 PID 2156 wrote to memory of 2192 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 28 PID 2156 wrote to memory of 2192 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 28 PID 2156 wrote to memory of 2376 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 30 PID 2156 wrote to memory of 2376 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 30 PID 2156 wrote to memory of 2376 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 30 PID 2156 wrote to memory of 2376 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 30 PID 2156 wrote to memory of 2376 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 30 PID 2156 wrote to memory of 2376 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 30 PID 2156 wrote to memory of 2376 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 30 PID 2156 wrote to memory of 2752 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 32 PID 2156 wrote to memory of 2752 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 32 PID 2156 wrote to memory of 2752 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 32 PID 2156 wrote to memory of 2752 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 32 PID 2156 wrote to memory of 2752 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 32 PID 2156 wrote to memory of 2752 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 32 PID 2156 wrote to memory of 2752 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 32 PID 2156 wrote to memory of 2056 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 34 PID 2156 wrote to memory of 2056 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 34 PID 2156 wrote to memory of 2056 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 34 PID 2156 wrote to memory of 2056 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 34 PID 2156 wrote to memory of 2056 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 34 PID 2156 wrote to memory of 2056 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 34 PID 2156 wrote to memory of 2056 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 34 PID 2156 wrote to memory of 2564 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 36 PID 2156 wrote to memory of 2564 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 36 PID 2156 wrote to memory of 2564 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 36 PID 2156 wrote to memory of 2564 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 36 PID 2156 wrote to memory of 2564 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 36 PID 2156 wrote to memory of 2564 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 36 PID 2156 wrote to memory of 2564 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 36 PID 2156 wrote to memory of 2796 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 38 PID 2156 wrote to memory of 2796 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 38 PID 2156 wrote to memory of 2796 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 38 PID 2156 wrote to memory of 2796 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 38 PID 2156 wrote to memory of 2796 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 38 PID 2156 wrote to memory of 2796 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 38 PID 2156 wrote to memory of 2796 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 38 PID 2156 wrote to memory of 2584 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 40 PID 2156 wrote to memory of 2584 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 40 PID 2156 wrote to memory of 2584 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 40 PID 2156 wrote to memory of 2584 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 40 PID 2156 wrote to memory of 2584 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 40 PID 2156 wrote to memory of 2584 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 40 PID 2156 wrote to memory of 2584 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 40 PID 2156 wrote to memory of 2176 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 42 PID 2156 wrote to memory of 2176 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 42 PID 2156 wrote to memory of 2176 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 42 PID 2156 wrote to memory of 2176 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 42 PID 2156 wrote to memory of 2176 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 42 PID 2156 wrote to memory of 2176 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 42 PID 2156 wrote to memory of 2176 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 42 PID 2156 wrote to memory of 2604 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 44 PID 2156 wrote to memory of 2604 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 44 PID 2156 wrote to memory of 2604 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 44 PID 2156 wrote to memory of 2604 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 44 PID 2156 wrote to memory of 2604 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 44 PID 2156 wrote to memory of 2604 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 44 PID 2156 wrote to memory of 2604 2156 86f83b70d1aa64929c8b89bed5c84f3f.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\86f83b70d1aa64929c8b89bed5c84f3f.exe"C:\Users\Admin\AppData\Local\Temp\86f83b70d1aa64929c8b89bed5c84f3f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" c:\windows\system32\packet.dll /e /p everyone:f2⤵PID:2192
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" c:\windows\system32\pthreadVC.dll /e /p everyone:f2⤵PID:2376
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" c:\windows\system32\wpcap.dll /e /p everyone:f2⤵PID:2752
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" c:\windows\system32\drivers\npf.sys /e /p everyone:f2⤵PID:2056
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" c:\windows\system32\npptools.dll /e /p everyone:f2⤵PID:2564
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" c:\windows\system32\drivers\acpidisk.sys /e /p everyone:f2⤵PID:2796
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" c:\windows\system32\wanpacket.dll /e /p everyone:f2⤵PID:2584
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" c:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f2⤵PID:2176
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" c:\windows\system32\drivers\etc\hosts /e /p everyone:f2⤵PID:2604
-