55598bf72a8280ef7888182697e6b454edabe890ba71c362e26560acf832a949

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 09:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ed7f9c42eba777df54b300160c5fae4.exe
Size

41KB
MD5

8ed7f9c42eba777df54b300160c5fae4
SHA1

70d95f5f2799feb34adc182813fb42fc50258844
SHA256

55598bf72a8280ef7888182697e6b454edabe890ba71c362e26560acf832a949
SHA512

d22670d1c4376e67e0bffdde26f6a1565965af06dd7bb3a8b23a06951e35cbd56c5e509d68b1068f6d38ddd8c2efc03b6a0fede3683e44f76e85231a5b92cd67
SSDEEP

384:SE4TaY4GD/kM1BrGFSC4vBATIHS5W8P0xVa+GmllInCEcyRpILQDoejOoZ4Wq8hg:SzmYvL1BFcIHV8Ya2B9/koCOobhxD

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\SysWOW64\delself.bat	8ed7f9c42eba777df54b300160c5fae4.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	8ed7f9c42eba777df54b300160c5fae4.exe
Token: SeDebugPrivilege	2980	8ed7f9c42eba777df54b300160c5fae4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3908	2980	8ed7f9c42eba777df54b300160c5fae4.exe	86
PID 2980 wrote to memory of 3908	2980	8ed7f9c42eba777df54b300160c5fae4.exe	86
PID 2980 wrote to memory of 3908	2980	8ed7f9c42eba777df54b300160c5fae4.exe	86
PID 3908 wrote to memory of 2812	3908	cmd.exe	88
PID 3908 wrote to memory of 2812	3908	cmd.exe	88
PID 3908 wrote to memory of 2812	3908	cmd.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2812	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8ed7f9c42eba777df54b300160c5fae4.exe
"C:\Users\Admin\AppData\Local\Temp\8ed7f9c42eba777df54b300160c5fae4.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\delself.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\8ed7f9c42eba777df54b300160c5fae4.exe"
    3⤵
    - Views/modifies file attributes
    PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delself.bat

Filesize
296B

MD5
384b51dcec62932c023943c020c513db

SHA1
5102fda177deb2455ce4a47a6ac891c2f433f004

SHA256
948598b72ef2271acf4905ec6fd761a5e2982c268bc57c9b07c425efcf536135

SHA512
6804907aeb8260746c8d61610cf79280f7fd6ab892550c6482da2c302f4e31294188fc773629f8fdd34a35757ec06d50ae4f5368cc92a2333312ca0d7cf1535c

Download Submit
memory/2980-0-0x0000000013140000-0x000000001314C000-memory.dmp

Filesize
48KB

Download
memory/2980-3-0x0000000013140000-0x000000001314C000-memory.dmp

Filesize
48KB

Download
memory/4868-5-0x00000283AE380000-0x00000283AE390000-memory.dmp

Filesize
64KB

Download
memory/4868-11-0x00000283AEA60000-0x00000283AEA70000-memory.dmp

Filesize
64KB

Download