a97139cfc3e5cef33099ea2060ae09e8b4fcf57670b5e8e258abe6276f524202

Analysis

max time kernel
458s
max time network
1166s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22/02/2024, 09:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HWID-SPOOFER-main/Commands/Hidden/Block.exe
Size

119KB
MD5

5782b8d469bbc9045ebd2316c2aefbd5
SHA1

f679adea19ac0e88a50cfefb88825a086102f77d
SHA256

dfd08e1d7a34bae6836b3915b45b8637b85cdc998198c5bf148fba5e96f15c21
SHA512

e57ed92d3c916b89e5f830fb52a63b330e404ea91a7cc0e0b0e8cfb03f9bea7252f1fa8fcf3950ae2bd404dcd189eeac27bcdc1cf529acd8ebde0bc5f457d023
SSDEEP

3072:u2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcXnI:PbJhs7QW69hd1MMdxPe9N9uA0hu9TBKI

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1872	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
432	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	tasklist.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 2844	4588	Block.exe	80
PID 4588 wrote to memory of 2844	4588	Block.exe	80
PID 2844 wrote to memory of 432	2844	cmd.exe	82
PID 2844 wrote to memory of 432	2844	cmd.exe	82
PID 2844 wrote to memory of 1872	2844	cmd.exe	84
PID 2844 wrote to memory of 1872	2844	cmd.exe	84
PID 2844 wrote to memory of 3464	2844	cmd.exe	85
PID 2844 wrote to memory of 3464	2844	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\HWID-SPOOFER-main\Commands\Hidden\Block.exe
"C:\Users\Admin\AppData\Local\Temp\HWID-SPOOFER-main\Commands\Hidden\Block.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E0EA.tmp\E0EB.tmp\E0EC.bat C:\Users\Admin\AppData\Local\Temp\HWID-SPOOFER-main\Commands\Hidden\Block.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:432
- - C:\Windows\system32\tasklist.exe
    tasklist /NH /FI "imagename eq Monotone.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\system32\find.exe
    find /i "Monotone.exe"
    3⤵
    PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E0EA.tmp\E0EB.tmp\E0EC.bat

Filesize
234B

MD5
6bf25f359aa5fbd7e1dd035df781227c

SHA1
f13a903548ba59fe28e1b6edca19bab5083b806d

SHA256
db9b3975c87afa294cafdd40cac28ed305d39c6215aa170dc3cf6005e86f9e46

SHA512
ea91c96d2d8a5c28e4d81af7ac0175b9dcd6757e97925609ac23ce4e1738698c10ffd05ce446610330d6f66b78f01336df1a997d1535ab8d0925eef2de9ae314

Download Submit