e0811a601c983e56789bf72e4befa467e4ef14591911fd777708b58849ed15cf

Analysis

max time kernel
119s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e09e4c1d42823d952f42e48595d01a4c.exe
Size

146KB
MD5

e09e4c1d42823d952f42e48595d01a4c
SHA1

10c3f50d679d0261ca35d12c6a7850092bc52c1c
SHA256

e0811a601c983e56789bf72e4befa467e4ef14591911fd777708b58849ed15cf
SHA512

4d0c1bf31d3401a27b7209afe9d8b70583e4af7b0f8a6614d34ef871a0085d6ecb5607d7b1e19686e37315323b052ae293e0e29944b5e0fb42593a0f574e294c
SSDEEP

3072:o/25jvDSgsqsb5Uh28vAbTV1WW69B9VjMdxPedN9ug0z9TBfFSTEwWYkQSlK:Dtzsb5Uh28+V1WW69B9VjMdxPedN9ug/

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2032	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemProfilePrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeProfSingleProcessPrivilege	2652	WMIC.exe
Token: SeIncBasePriorityPrivilege	2652	WMIC.exe
Token: SeCreatePagefilePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe
Token: SeDebugPrivilege	2652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2652	WMIC.exe
Token: SeRemoteShutdownPrivilege	2652	WMIC.exe
Token: SeUndockPrivilege	2652	WMIC.exe
Token: SeManageVolumePrivilege	2652	WMIC.exe
Token: 33	2652	WMIC.exe
Token: 34	2652	WMIC.exe
Token: 35	2652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemProfilePrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeProfSingleProcessPrivilege	2652	WMIC.exe
Token: SeIncBasePriorityPrivilege	2652	WMIC.exe
Token: SeCreatePagefilePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe
Token: SeDebugPrivilege	2652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2652	WMIC.exe
Token: SeRemoteShutdownPrivilege	2652	WMIC.exe
Token: SeUndockPrivilege	2652	WMIC.exe
Token: SeManageVolumePrivilege	2652	WMIC.exe
Token: 33	2652	WMIC.exe
Token: 34	2652	WMIC.exe
Token: 35	2652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2792	WMIC.exe
Token: SeSecurityPrivilege	2792	WMIC.exe
Token: SeTakeOwnershipPrivilege	2792	WMIC.exe
Token: SeLoadDriverPrivilege	2792	WMIC.exe
Token: SeSystemProfilePrivilege	2792	WMIC.exe
Token: SeSystemtimePrivilege	2792	WMIC.exe
Token: SeProfSingleProcessPrivilege	2792	WMIC.exe
Token: SeIncBasePriorityPrivilege	2792	WMIC.exe
Token: SeCreatePagefilePrivilege	2792	WMIC.exe
Token: SeBackupPrivilege	2792	WMIC.exe
Token: SeRestorePrivilege	2792	WMIC.exe
Token: SeShutdownPrivilege	2792	WMIC.exe
Token: SeDebugPrivilege	2792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2792	WMIC.exe
Token: SeRemoteShutdownPrivilege	2792	WMIC.exe
Token: SeUndockPrivilege	2792	WMIC.exe
Token: SeManageVolumePrivilege	2792	WMIC.exe
Token: 33	2792	WMIC.exe
Token: 34	2792	WMIC.exe
Token: 35	2792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2792	WMIC.exe
Token: SeSecurityPrivilege	2792	WMIC.exe
Token: SeTakeOwnershipPrivilege	2792	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2856	1696	e09e4c1d42823d952f42e48595d01a4c.exe	29
PID 1696 wrote to memory of 2856	1696	e09e4c1d42823d952f42e48595d01a4c.exe	29
PID 1696 wrote to memory of 2856	1696	e09e4c1d42823d952f42e48595d01a4c.exe	29
PID 2856 wrote to memory of 2896	2856	cmd.exe	30
PID 2856 wrote to memory of 2896	2856	cmd.exe	30
PID 2856 wrote to memory of 2896	2856	cmd.exe	30
PID 2856 wrote to memory of 2944	2856	cmd.exe	31
PID 2856 wrote to memory of 2944	2856	cmd.exe	31
PID 2856 wrote to memory of 2944	2856	cmd.exe	31
PID 2856 wrote to memory of 1700	2856	cmd.exe	32
PID 2856 wrote to memory of 1700	2856	cmd.exe	32
PID 2856 wrote to memory of 1700	2856	cmd.exe	32
PID 1700 wrote to memory of 2032	1700	cmd.exe	33
PID 1700 wrote to memory of 2032	1700	cmd.exe	33
PID 1700 wrote to memory of 2032	1700	cmd.exe	33
PID 2856 wrote to memory of 2632	2856	cmd.exe	34
PID 2856 wrote to memory of 2632	2856	cmd.exe	34
PID 2856 wrote to memory of 2632	2856	cmd.exe	34
PID 2632 wrote to memory of 2652	2632	cmd.exe	35
PID 2632 wrote to memory of 2652	2632	cmd.exe	35
PID 2632 wrote to memory of 2652	2632	cmd.exe	35
PID 2856 wrote to memory of 2664	2856	cmd.exe	37
PID 2856 wrote to memory of 2664	2856	cmd.exe	37
PID 2856 wrote to memory of 2664	2856	cmd.exe	37
PID 2664 wrote to memory of 2792	2664	cmd.exe	38
PID 2664 wrote to memory of 2792	2664	cmd.exe	38
PID 2664 wrote to memory of 2792	2664	cmd.exe	38
PID 2856 wrote to memory of 2864	2856	cmd.exe	39
PID 2856 wrote to memory of 2864	2856	cmd.exe	39
PID 2856 wrote to memory of 2864	2856	cmd.exe	39
PID 2864 wrote to memory of 2712	2864	cmd.exe	40
PID 2864 wrote to memory of 2712	2864	cmd.exe	40
PID 2864 wrote to memory of 2712	2864	cmd.exe	40
PID 2856 wrote to memory of 2532	2856	cmd.exe	41
PID 2856 wrote to memory of 2532	2856	cmd.exe	41
PID 2856 wrote to memory of 2532	2856	cmd.exe	41
PID 2532 wrote to memory of 2480	2532	cmd.exe	42
PID 2532 wrote to memory of 2480	2532	cmd.exe	42
PID 2532 wrote to memory of 2480	2532	cmd.exe	42
PID 2856 wrote to memory of 2380	2856	cmd.exe	43
PID 2856 wrote to memory of 2380	2856	cmd.exe	43
PID 2856 wrote to memory of 2380	2856	cmd.exe	43
PID 2380 wrote to memory of 2388	2380	cmd.exe	44
PID 2380 wrote to memory of 2388	2380	cmd.exe	44
PID 2380 wrote to memory of 2388	2380	cmd.exe	44
PID 2856 wrote to memory of 2284	2856	cmd.exe	45
PID 2856 wrote to memory of 2284	2856	cmd.exe	45
PID 2856 wrote to memory of 2284	2856	cmd.exe	45
PID 2284 wrote to memory of 2952	2284	cmd.exe	46
PID 2284 wrote to memory of 2952	2284	cmd.exe	46
PID 2284 wrote to memory of 2952	2284	cmd.exe	46
PID 2856 wrote to memory of 2004	2856	cmd.exe	47
PID 2856 wrote to memory of 2004	2856	cmd.exe	47
PID 2856 wrote to memory of 2004	2856	cmd.exe	47
PID 2004 wrote to memory of 2876	2004	cmd.exe	48
PID 2004 wrote to memory of 2876	2004	cmd.exe	48
PID 2004 wrote to memory of 2876	2004	cmd.exe	48
PID 2856 wrote to memory of 1068	2856	cmd.exe	49
PID 2856 wrote to memory of 1068	2856	cmd.exe	49
PID 2856 wrote to memory of 1068	2856	cmd.exe	49
PID 1068 wrote to memory of 544	1068	cmd.exe	50
PID 1068 wrote to memory of 544	1068	cmd.exe	50
PID 1068 wrote to memory of 544	1068	cmd.exe	50
PID 2856 wrote to memory of 2592	2856	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\e09e4c1d42823d952f42e48595d01a4c.exe
"C:\Users\Admin\AppData\Local\Temp\e09e4c1d42823d952f42e48595d01a4c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\478B.tmp\479C.tmp\479D.bat C:\Users\Admin\AppData\Local\Temp\e09e4c1d42823d952f42e48595d01a4c.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\system32\mode.com
    mode con: cols=41 lines=25
    3⤵
    PID:2896
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Invoke-RestMethod api.ipify.org
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
    3⤵
    PID:2592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
    3⤵
    PID:1096
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
    3⤵
    PID:1948
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
    3⤵
    PID:1088
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
    3⤵
    PID:2612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get processorid
    3⤵
    PID:288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
    3⤵
    PID:2608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\478B.tmp\479C.tmp\479D.bat

Filesize
9KB

MD5
5a690ababc9030be667b065eb1acbf71

SHA1
4a84fc1ad7db4742c0beb3ccc35d8107a1313476

SHA256
ad1434cb979dbc1282be8660c312cef7e19801ea0bd2b75491d2d244e3a1f79a

SHA512
0e4700284e2dc9e4ad66d570997bddf1a0279ecd4fc8f161a50050c3c50a994f7ba253b6ac94a0acf2d44f4a41d35aac7ceaa479a77d303ee79db4a0316286d9

Download Submit
memory/2032-6-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2032-8-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

Filesize
9.6MB

Download
memory/2032-7-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2032-9-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2032-10-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2032-11-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2032-12-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

Filesize
9.6MB

Download
memory/2032-13-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2032-14-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

Filesize
9.6MB

Download