4ae9f46399bb088df9b59fea4f80f3448e9b3937476a10ab5af00e7b80a8597e

Resubmissions

13/02/2024, 05:55

240213-gmt9jsbb68 3

13/02/2024, 05:38

240213-gbrz2sfg6w 3

Analysis

max time kernel
448s
max time network
451s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VeeamManageClient.exe
Size

39KB
MD5

a56012610e82f692cbcd80ea54cfc522
SHA1

722d883a8b8737bd0bf92901671b9c758b6a706b
SHA256

4ae9f46399bb088df9b59fea4f80f3448e9b3937476a10ab5af00e7b80a8597e
SHA512

b22147f325a9a2276a6c7d23b18bc5dfda9fc921817865566d5ebf5a1fac139746ec88885844a523018fb219e082c7c2f69341b7711168540be0a1fb8137aacb
SSDEEP

768:KPKylEHlFZMC+t2FHyfcvF4FYY1A+84ykatVST5:KCfR2cvmW48s

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1268	VeeamManageClient.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	VeeamManageClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 4848	1268	VeeamManageClient.exe	36
PID 1268 wrote to memory of 4848	1268	VeeamManageClient.exe	36
PID 4848 wrote to memory of 1876	4848	csc.exe	38
PID 4848 wrote to memory of 1876	4848	csc.exe	38

C:\Users\Admin\AppData\Local\Temp\VeeamManageClient.exe
"C:\Users\Admin\AppData\Local\Temp\VeeamManageClient.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ui1egvk0\ui1egvk0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4287.tmp" "c:\Users\Admin\AppData\Local\Temp\ui1egvk0\CSCE89E5D4913A441F5BB68DCEDBF58F96D.TMP"
    3⤵
    PID:1876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4287.tmp

Filesize
1KB

MD5
71691bf6074704b7305ee22fb52d8366

SHA1
0e6d6e9631f1394e6f40e0eef84a9a325f52d668

SHA256
5eadda874ad12ea0450ffe4185fd33b108e00274a89c676a4b92d500d48357ac

SHA512
d44cf53cc5692d6206f7a0327280b381494daee4fe17afc05f25bfd43f50f5e40342f76a24a40743b668a6cb9a0d74874f997a3ab50913deebc5875b5a309dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctmy1rvw.x4e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ui1egvk0\ui1egvk0.dll

Filesize
3KB

MD5
a3e63a11c2a1ec9d7a0f67dae1c5bd42

SHA1
5bd9f6517e0425ff94599ff5a096e69c18f20ffc

SHA256
cd1735124f1486f564fc18eed889d9fab8c643bee34b7af21d32c37ef9a419d0

SHA512
e56b272f51e117be723ab1a118d8eaf6885a5e5f77bd583e3b16e2095702c678a39d0455da1cf1152f3c88d3597ac2bfaeffa4531b7224ff87ea51bfd6f0f74e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ui1egvk0\CSCE89E5D4913A441F5BB68DCEDBF58F96D.TMP

Filesize
652B

MD5
daa1d0d83b1bc9ab031c1305ba1411be

SHA1
c492e96e4c3ebf50e5f285a3066c67cb2a80fa0d

SHA256
4ccdee53a7c2ff369ab4342eaf13a6938eb1bfac6e3890f650ce5bd0f598012d

SHA512
9c26f82b26d4111b2518152982e4fbb2c8e2cdd01495f529dc80215367a1fd19fd40f70ad9f80ce4a600e997c1d8c77b010a8670c9fea870f10a047be5073939

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ui1egvk0\ui1egvk0.0.cs

Filesize
287B

MD5
c23393a348ab66b915e53ee71f0bf2c7

SHA1
fa10a1ff1ea87b3589b32287e3fd16d7ce443d1b

SHA256
f11fae345310c3238f5440e77c25032728583ef6e2ea3821e8bf8762e169e5fd

SHA512
a88efd57ab84e5e220fdcd1c9ed971f55d99e4de54b518e22c0b229b3f9a0145182b5a5fbd71aa456b4209dcb76e87d6531d7ad9f60ee95636a550ce69d9a168

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ui1egvk0\ui1egvk0.cmdline

Filesize
369B

MD5
833a232b851f5c836b4b2fa5e3e80477

SHA1
86e9cc48cde2d8b400981017c7bd4aaad966ec24

SHA256
624c7ae281d10d7849520e40d446d12b73020349d45318b748c7e41a496c5411

SHA512
56ca62eee458319af83c0fe5f1cadbc134b30f282607c961d56a1e6b168f659a2ef338e77d84762bdf1b15eaa3786222665e75cdddd0043283209f9fe75626bf

Download Submit
memory/1268-0-0x0000000000710000-0x0000000000720000-memory.dmp

Filesize
64KB

Download
memory/1268-1-0x00007FFBADB70000-0x00007FFBAE631000-memory.dmp

Filesize
10.8MB

Download
memory/1268-11-0x000000001B2A0000-0x000000001B2C2000-memory.dmp

Filesize
136KB

Download
memory/1268-24-0x000000001B290000-0x000000001B298000-memory.dmp

Filesize
32KB

Download
memory/1268-26-0x000000001B360000-0x000000001B370000-memory.dmp

Filesize
64KB

Download
memory/1268-28-0x00007FFBADB70000-0x00007FFBAE631000-memory.dmp

Filesize
10.8MB

Download