ce9f6a5ef001e835f9e572de81693e2e81c877d1e7ae8424202b69c5742705ee

Analysis

max time kernel
144s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28-02-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tundra/Tundra.exe
Size

377KB
MD5

7cbc5915698f95ffdec2122fb8eda7d7
SHA1

237c7cd54302c0a1083fd7114572b6f6ec67883e
SHA256

943c28f6cb1d7cb2020fb246aaebd5760c159bb455dc944adedc52aa2125f5d0
SHA512

a077f6bca84e27112287dfdb4f98e8c8ebfd3633bf4cf9f1f5e30f630e7614435a4627e9d2bc6d864f3c8bd1002390065b2b7dbcbdfaf15276fa5be68a9ecaf7
SSDEEP

6144:DYac7RzReNzny1BH2faX7RzReNzny1BH2:3qR99TrR99

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5012	wmic.exe
Token: SeSecurityPrivilege	5012	wmic.exe
Token: SeTakeOwnershipPrivilege	5012	wmic.exe
Token: SeLoadDriverPrivilege	5012	wmic.exe
Token: SeSystemProfilePrivilege	5012	wmic.exe
Token: SeSystemtimePrivilege	5012	wmic.exe
Token: SeProfSingleProcessPrivilege	5012	wmic.exe
Token: SeIncBasePriorityPrivilege	5012	wmic.exe
Token: SeCreatePagefilePrivilege	5012	wmic.exe
Token: SeBackupPrivilege	5012	wmic.exe
Token: SeRestorePrivilege	5012	wmic.exe
Token: SeShutdownPrivilege	5012	wmic.exe
Token: SeDebugPrivilege	5012	wmic.exe
Token: SeSystemEnvironmentPrivilege	5012	wmic.exe
Token: SeRemoteShutdownPrivilege	5012	wmic.exe
Token: SeUndockPrivilege	5012	wmic.exe
Token: SeManageVolumePrivilege	5012	wmic.exe
Token: 33	5012	wmic.exe
Token: 34	5012	wmic.exe
Token: 35	5012	wmic.exe
Token: 36	5012	wmic.exe
Token: SeIncreaseQuotaPrivilege	5012	wmic.exe
Token: SeSecurityPrivilege	5012	wmic.exe
Token: SeTakeOwnershipPrivilege	5012	wmic.exe
Token: SeLoadDriverPrivilege	5012	wmic.exe
Token: SeSystemProfilePrivilege	5012	wmic.exe
Token: SeSystemtimePrivilege	5012	wmic.exe
Token: SeProfSingleProcessPrivilege	5012	wmic.exe
Token: SeIncBasePriorityPrivilege	5012	wmic.exe
Token: SeCreatePagefilePrivilege	5012	wmic.exe
Token: SeBackupPrivilege	5012	wmic.exe
Token: SeRestorePrivilege	5012	wmic.exe
Token: SeShutdownPrivilege	5012	wmic.exe
Token: SeDebugPrivilege	5012	wmic.exe
Token: SeSystemEnvironmentPrivilege	5012	wmic.exe
Token: SeRemoteShutdownPrivilege	5012	wmic.exe
Token: SeUndockPrivilege	5012	wmic.exe
Token: SeManageVolumePrivilege	5012	wmic.exe
Token: 33	5012	wmic.exe
Token: 34	5012	wmic.exe
Token: 35	5012	wmic.exe
Token: 36	5012	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 5012	1536	Tundra.exe	78
PID 1536 wrote to memory of 5012	1536	Tundra.exe	78

C:\Users\Admin\AppData\Local\Temp\Tundra\Tundra.exe
"C:\Users\Admin\AppData\Local\Temp\Tundra\Tundra.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-0-0x0000016260F60000-0x0000016260FC2000-memory.dmp

Filesize
392KB

Download
memory/1536-1-0x0000016261430000-0x000001626145E000-memory.dmp

Filesize
184KB

Download
memory/1536-2-0x00007FF854DC0000-0x00007FF855882000-memory.dmp

Filesize
10.8MB

Download
memory/1536-3-0x000001627B7E0000-0x000001627B7F0000-memory.dmp

Filesize
64KB

Download
memory/1536-4-0x000001627BA50000-0x000001627BAA8000-memory.dmp

Filesize
352KB

Download
memory/1536-5-0x000001627B7E0000-0x000001627B7F0000-memory.dmp

Filesize
64KB

Download
memory/1536-6-0x000001627B7E0000-0x000001627B7F0000-memory.dmp

Filesize
64KB

Download
memory/1536-7-0x000001627B7E0000-0x000001627B7F0000-memory.dmp

Filesize
64KB

Download
memory/1536-9-0x00007FF854DC0000-0x00007FF855882000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads