9873433df84391be0afd08cc0854ef704496bf9ef765bdfc4848f273b6ef7a78

Analysis

max time kernel
9s
max time network
9s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 10:50

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

96f994a1a15f477fc1eab23066dc2315.exe
Size

24KB
MD5

96f994a1a15f477fc1eab23066dc2315
SHA1

da3b50b9106ffa49b65af469f934349c76882fc7
SHA256

9873433df84391be0afd08cc0854ef704496bf9ef765bdfc4848f273b6ef7a78
SHA512

ae7ee0dd6dc9c371e273d557176d0c701eb4e349cceec492b2cd3fd2447b44229b363734926b324a27cceffdaf72fe1f581aeacc78aa5cdecd2c1cd367f8401b
SSDEEP

384:zrXJ/wnDo6zLDGGezpA9FBBM7bnFLABrRRvXQqpe1Hv:z16M7DFwrnXZped

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2228	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2224	96f994a1a15f477fc1eab23066dc2315.exe
2224	96f994a1a15f477fc1eab23066dc2315.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2224	96f994a1a15f477fc1eab23066dc2315.exe
Token: SeIncBasePriorityPrivilege	2224	96f994a1a15f477fc1eab23066dc2315.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2224	96f994a1a15f477fc1eab23066dc2315.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2228	2224	96f994a1a15f477fc1eab23066dc2315.exe	29
PID 2224 wrote to memory of 2228	2224	96f994a1a15f477fc1eab23066dc2315.exe	29
PID 2224 wrote to memory of 2228	2224	96f994a1a15f477fc1eab23066dc2315.exe	29
PID 2224 wrote to memory of 2228	2224	96f994a1a15f477fc1eab23066dc2315.exe	29

C:\Users\Admin\AppData\Local\Temp\96f994a1a15f477fc1eab23066dc2315.exe
"C:\Users\Admin\AppData\Local\Temp\96f994a1a15f477fc1eab23066dc2315.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\96F994~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2228

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2320

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2320-0-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2484-1-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download