63fb3bf2822b8e3bc0217a525869097eb783f2e6b5d7a3ec71f884c3cbd89736

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 23:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c1db68f980a8d8744d998deb4831aa99.exe
Size

324KB
MD5

c1db68f980a8d8744d998deb4831aa99
SHA1

ff39f971c27317b038a4d0a0141df1fc58e3f5b4
SHA256

63fb3bf2822b8e3bc0217a525869097eb783f2e6b5d7a3ec71f884c3cbd89736
SHA512

23a42820936acb2a303da08b80671564d1f388d594d1962c5c34ced523d0ed198a6be81aa89ff3919cf8bc0ec01dd3c2c6de07bef230d379bf1349951d383819
SSDEEP

6144:QYeF2idZecnl20lHRxp3gTe0M6E81xS0WcHpsFbBqaq:MF3Z4mxxR0MHoTAFbQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2660	Win.exe

Loads dropped DLL 2 IoCs

pid	Process
2468	WScript.exe
2468	WScript.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Win.exe	c1db68f980a8d8744d998deb4831aa99.exe
File opened for modification	C:\Windows\SysWOW64\Win.exe	c1db68f980a8d8744d998deb4831aa99.exe
File created	C:\Windows\SysWOW64\ds.vbs	c1db68f980a8d8744d998deb4831aa99.exe
File created	C:\Windows\SysWOW64\Win.exe	Win.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2648	c1db68f980a8d8744d998deb4831aa99.exe
Token: SeIncBasePriorityPrivilege	2660	Win.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2468	2648	c1db68f980a8d8744d998deb4831aa99.exe	28
PID 2648 wrote to memory of 2468	2648	c1db68f980a8d8744d998deb4831aa99.exe	28
PID 2648 wrote to memory of 2468	2648	c1db68f980a8d8744d998deb4831aa99.exe	28
PID 2648 wrote to memory of 2468	2648	c1db68f980a8d8744d998deb4831aa99.exe	28
PID 2648 wrote to memory of 2624	2648	c1db68f980a8d8744d998deb4831aa99.exe	29
PID 2648 wrote to memory of 2624	2648	c1db68f980a8d8744d998deb4831aa99.exe	29
PID 2648 wrote to memory of 2624	2648	c1db68f980a8d8744d998deb4831aa99.exe	29
PID 2648 wrote to memory of 2624	2648	c1db68f980a8d8744d998deb4831aa99.exe	29
PID 2468 wrote to memory of 2660	2468	WScript.exe	30
PID 2468 wrote to memory of 2660	2468	WScript.exe	30
PID 2468 wrote to memory of 2660	2468	WScript.exe	30
PID 2468 wrote to memory of 2660	2468	WScript.exe	30
PID 2660 wrote to memory of 2532	2660	Win.exe	31
PID 2660 wrote to memory of 2532	2660	Win.exe	31
PID 2660 wrote to memory of 2532	2660	Win.exe	31
PID 2660 wrote to memory of 2532	2660	Win.exe	31

C:\Users\Admin\AppData\Local\Temp\c1db68f980a8d8744d998deb4831aa99.exe
"C:\Users\Admin\AppData\Local\Temp\c1db68f980a8d8744d998deb4831aa99.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\system32\ds.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\Win.exe
    "C:\Windows\system32\Win.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\Win.exe > nul
      4⤵
      PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C1DB68~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Win.exe

Filesize
324KB

MD5
c1db68f980a8d8744d998deb4831aa99

SHA1
ff39f971c27317b038a4d0a0141df1fc58e3f5b4

SHA256
63fb3bf2822b8e3bc0217a525869097eb783f2e6b5d7a3ec71f884c3cbd89736

SHA512
23a42820936acb2a303da08b80671564d1f388d594d1962c5c34ced523d0ed198a6be81aa89ff3919cf8bc0ec01dd3c2c6de07bef230d379bf1349951d383819

Download Submit
C:\Windows\SysWOW64\Win.exe

Filesize
43KB

MD5
5a805473961b59dd6b54321334d9cb78

SHA1
d6a7445a31d113e567bc257699ca63ac35d1fc6f

SHA256
941788515f02551746c2f9a7adc3d2e4460312f434780e5180c784dff4de027e

SHA512
e521205e45429465f9c44b7a1c70b2ee3ac9d009b4d76635e867ff19252c4b7e7e75eedddb35c2c5a596207af36bf0e822bdbd0a12423c2f5778a750b27e7902

Download Submit
memory/2468-53-0x0000000003300000-0x000000000335B000-memory.dmp

Filesize
364KB

Download
memory/2468-47-0x0000000003300000-0x000000000335B000-memory.dmp

Filesize
364KB

Download
memory/2468-50-0x0000000003300000-0x000000000335B000-memory.dmp

Filesize
364KB

Download
memory/2648-40-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/2648-28-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-33-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-41-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2648-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2648-43-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/2648-1-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/2648-39-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-36-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-35-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-34-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-32-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-12-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/2648-14-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-10-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/2648-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2648-15-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-13-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2648-31-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-30-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-29-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-21-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-27-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-26-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-25-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-24-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-23-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-22-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-20-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-19-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-18-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-17-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-16-0x0000000003170000-0x00000000031B0000-memory.dmp

Filesize
256KB

Download
memory/2648-11-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/2648-9-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2648-8-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2648-7-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2648-6-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2648-2-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2660-51-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/2660-52-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download