f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932

Analysis

max time kernel
144s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/02/2024, 23:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932.exe
Size

196KB
MD5

4ece7f4f0a91a9c37da627fa1f1f03c3
SHA1

c6e292fca94e602be93ff79a815b24922b05e329
SHA256

f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932
SHA512

0daee838855eb6cdb32d34664d6eb6d8f6b4d82377084010195445968c90d3438a533cc7d9d26b78caef7e60e32762281f12c933a13f4c3ee8effa4c75604cd3
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOE:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2152	rwmhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\rwmhost.exe	f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932.exe
File opened for modification	C:\Windows\Debug\rwmhost.exe	f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3016	f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2776	3016	f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932.exe	29
PID 3016 wrote to memory of 2776	3016	f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932.exe	29
PID 3016 wrote to memory of 2776	3016	f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932.exe	29
PID 3016 wrote to memory of 2776	3016	f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932.exe	29

C:\Users\Admin\AppData\Local\Temp\f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932.exe
"C:\Users\Admin\AppData\Local\Temp\f3e8a0f0e7501fd30c5455f191c9903a2db443ce2983adabcf893210bd739932.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F3E8A0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2776

C:\Windows\Debug\rwmhost.exe
C:\Windows\Debug\rwmhost.exe
1⤵
- Executes dropped EXE
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\rwmhost.exe

Filesize
196KB

MD5
ee7a3c242ca535e1d04f3f692e5891dd

SHA1
8363b2d2535232d24f9e75a17b8b727c661dc436

SHA256
e6e8c9b2adf774fecc7234405afee10a0e2ff2f8027b8738d975793d26581e52

SHA512
4adc099e615a0a7d321c2204ba38d0b3e04fede218c7e68f3ec41a59038977c29e9c6c8210779e9bd2fc51cf212d8dbd9c37e52d8f79ee229e29d5d1f3383351

Download Submit