e0811a601c983e56789bf72e4befa467e4ef14591911fd777708b58849ed15cf

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e09e4c1d42823d952f42e48595d01a4c.exe
Size

146KB
MD5

e09e4c1d42823d952f42e48595d01a4c
SHA1

10c3f50d679d0261ca35d12c6a7850092bc52c1c
SHA256

e0811a601c983e56789bf72e4befa467e4ef14591911fd777708b58849ed15cf
SHA512

4d0c1bf31d3401a27b7209afe9d8b70583e4af7b0f8a6614d34ef871a0085d6ecb5607d7b1e19686e37315323b052ae293e0e29944b5e0fb42593a0f574e294c
SSDEEP

3072:o/25jvDSgsqsb5Uh28vAbTV1WW69B9VjMdxPedN9ug0z9TBfFSTEwWYkQSlK:Dtzsb5Uh28+V1WW69B9VjMdxPedN9ug/

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	1404	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.ipify.org

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1404	powershell.exe
1404	powershell.exe
1404	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeIncreaseQuotaPrivilege	4836	WMIC.exe
Token: SeSecurityPrivilege	4836	WMIC.exe
Token: SeTakeOwnershipPrivilege	4836	WMIC.exe
Token: SeLoadDriverPrivilege	4836	WMIC.exe
Token: SeSystemProfilePrivilege	4836	WMIC.exe
Token: SeSystemtimePrivilege	4836	WMIC.exe
Token: SeProfSingleProcessPrivilege	4836	WMIC.exe
Token: SeIncBasePriorityPrivilege	4836	WMIC.exe
Token: SeCreatePagefilePrivilege	4836	WMIC.exe
Token: SeBackupPrivilege	4836	WMIC.exe
Token: SeRestorePrivilege	4836	WMIC.exe
Token: SeShutdownPrivilege	4836	WMIC.exe
Token: SeDebugPrivilege	4836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4836	WMIC.exe
Token: SeRemoteShutdownPrivilege	4836	WMIC.exe
Token: SeUndockPrivilege	4836	WMIC.exe
Token: SeManageVolumePrivilege	4836	WMIC.exe
Token: 33	4836	WMIC.exe
Token: 34	4836	WMIC.exe
Token: 35	4836	WMIC.exe
Token: 36	4836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4836	WMIC.exe
Token: SeSecurityPrivilege	4836	WMIC.exe
Token: SeTakeOwnershipPrivilege	4836	WMIC.exe
Token: SeLoadDriverPrivilege	4836	WMIC.exe
Token: SeSystemProfilePrivilege	4836	WMIC.exe
Token: SeSystemtimePrivilege	4836	WMIC.exe
Token: SeProfSingleProcessPrivilege	4836	WMIC.exe
Token: SeIncBasePriorityPrivilege	4836	WMIC.exe
Token: SeCreatePagefilePrivilege	4836	WMIC.exe
Token: SeBackupPrivilege	4836	WMIC.exe
Token: SeRestorePrivilege	4836	WMIC.exe
Token: SeShutdownPrivilege	4836	WMIC.exe
Token: SeDebugPrivilege	4836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4836	WMIC.exe
Token: SeRemoteShutdownPrivilege	4836	WMIC.exe
Token: SeUndockPrivilege	4836	WMIC.exe
Token: SeManageVolumePrivilege	4836	WMIC.exe
Token: 33	4836	WMIC.exe
Token: 34	4836	WMIC.exe
Token: 35	4836	WMIC.exe
Token: 36	4836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe
Token: 34	1568	WMIC.exe
Token: 35	1568	WMIC.exe
Token: 36	1568	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 4220	3800	e09e4c1d42823d952f42e48595d01a4c.exe	96
PID 3800 wrote to memory of 4220	3800	e09e4c1d42823d952f42e48595d01a4c.exe	96
PID 4220 wrote to memory of 2788	4220	cmd.exe	97
PID 4220 wrote to memory of 2788	4220	cmd.exe	97
PID 4220 wrote to memory of 4116	4220	cmd.exe	98
PID 4220 wrote to memory of 4116	4220	cmd.exe	98
PID 4220 wrote to memory of 2804	4220	cmd.exe	99
PID 4220 wrote to memory of 2804	4220	cmd.exe	99
PID 2804 wrote to memory of 1404	2804	cmd.exe	100
PID 2804 wrote to memory of 1404	2804	cmd.exe	100
PID 4220 wrote to memory of 2220	4220	cmd.exe	104
PID 4220 wrote to memory of 2220	4220	cmd.exe	104
PID 2220 wrote to memory of 4836	2220	cmd.exe	105
PID 2220 wrote to memory of 4836	2220	cmd.exe	105
PID 4220 wrote to memory of 2624	4220	cmd.exe	107
PID 4220 wrote to memory of 2624	4220	cmd.exe	107
PID 2624 wrote to memory of 1568	2624	cmd.exe	108
PID 2624 wrote to memory of 1568	2624	cmd.exe	108
PID 4220 wrote to memory of 3004	4220	cmd.exe	109
PID 4220 wrote to memory of 3004	4220	cmd.exe	109
PID 3004 wrote to memory of 2652	3004	cmd.exe	110
PID 3004 wrote to memory of 2652	3004	cmd.exe	110
PID 4220 wrote to memory of 4420	4220	cmd.exe	111
PID 4220 wrote to memory of 4420	4220	cmd.exe	111
PID 4420 wrote to memory of 2876	4420	cmd.exe	112
PID 4420 wrote to memory of 2876	4420	cmd.exe	112
PID 4220 wrote to memory of 5004	4220	cmd.exe	113
PID 4220 wrote to memory of 5004	4220	cmd.exe	113
PID 5004 wrote to memory of 2736	5004	cmd.exe	114
PID 5004 wrote to memory of 2736	5004	cmd.exe	114
PID 4220 wrote to memory of 4732	4220	cmd.exe	115
PID 4220 wrote to memory of 4732	4220	cmd.exe	115
PID 4732 wrote to memory of 1940	4732	cmd.exe	116
PID 4732 wrote to memory of 1940	4732	cmd.exe	116
PID 4220 wrote to memory of 2356	4220	cmd.exe	117
PID 4220 wrote to memory of 2356	4220	cmd.exe	117
PID 2356 wrote to memory of 980	2356	cmd.exe	118
PID 2356 wrote to memory of 980	2356	cmd.exe	118
PID 4220 wrote to memory of 4032	4220	cmd.exe	119
PID 4220 wrote to memory of 4032	4220	cmd.exe	119
PID 4032 wrote to memory of 1228	4032	cmd.exe	120
PID 4032 wrote to memory of 1228	4032	cmd.exe	120
PID 4220 wrote to memory of 3468	4220	cmd.exe	121
PID 4220 wrote to memory of 3468	4220	cmd.exe	121
PID 3468 wrote to memory of 2996	3468	cmd.exe	122
PID 3468 wrote to memory of 2996	3468	cmd.exe	122
PID 4220 wrote to memory of 3792	4220	cmd.exe	123
PID 4220 wrote to memory of 3792	4220	cmd.exe	123
PID 3792 wrote to memory of 1692	3792	cmd.exe	124
PID 3792 wrote to memory of 1692	3792	cmd.exe	124
PID 4220 wrote to memory of 2572	4220	cmd.exe	127
PID 4220 wrote to memory of 2572	4220	cmd.exe	127
PID 2572 wrote to memory of 1948	2572	cmd.exe	128
PID 2572 wrote to memory of 1948	2572	cmd.exe	128
PID 4220 wrote to memory of 1212	4220	cmd.exe	129
PID 4220 wrote to memory of 1212	4220	cmd.exe	129
PID 1212 wrote to memory of 1340	1212	cmd.exe	130
PID 1212 wrote to memory of 1340	1212	cmd.exe	130
PID 4220 wrote to memory of 1504	4220	cmd.exe	132
PID 4220 wrote to memory of 1504	4220	cmd.exe	132
PID 1504 wrote to memory of 4588	1504	cmd.exe	133
PID 1504 wrote to memory of 4588	1504	cmd.exe	133
PID 4220 wrote to memory of 2876	4220	cmd.exe	134
PID 4220 wrote to memory of 2876	4220	cmd.exe	134

C:\Users\Admin\AppData\Local\Temp\e09e4c1d42823d952f42e48595d01a4c.exe
"C:\Users\Admin\AppData\Local\Temp\e09e4c1d42823d952f42e48595d01a4c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\708C.tmp\708D.tmp\708E.bat C:\Users\Admin\AppData\Local\Temp\e09e4c1d42823d952f42e48595d01a4c.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\system32\mode.com
    mode con: cols=41 lines=25
    3⤵
    PID:2788
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Invoke-RestMethod api.ipify.org
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:2652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3468
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get processorid
    3⤵
    PID:2876
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
    3⤵
    PID:4692
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8
1⤵
PID:3932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\708C.tmp\708D.tmp\708E.bat

Filesize
9KB

MD5
5a690ababc9030be667b065eb1acbf71

SHA1
4a84fc1ad7db4742c0beb3ccc35d8107a1313476

SHA256
ad1434cb979dbc1282be8660c312cef7e19801ea0bd2b75491d2d244e3a1f79a

SHA512
0e4700284e2dc9e4ad66d570997bddf1a0279ecd4fc8f161a50050c3c50a994f7ba253b6ac94a0acf2d44f4a41d35aac7ceaa479a77d303ee79db4a0316286d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_egiuj04u.k14.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1404-7-0x0000020B789C0000-0x0000020B789E2000-memory.dmp

Filesize
136KB

Download
memory/1404-12-0x00007FFC77DE0000-0x00007FFC788A1000-memory.dmp

Filesize
10.8MB

Download
memory/1404-14-0x0000020B781E0000-0x0000020B781F0000-memory.dmp

Filesize
64KB

Download
memory/1404-13-0x0000020B781E0000-0x0000020B781F0000-memory.dmp

Filesize
64KB

Download
memory/1404-15-0x0000020B781E0000-0x0000020B781F0000-memory.dmp

Filesize
64KB

Download
memory/1404-16-0x0000020B79050000-0x0000020B79212000-memory.dmp

Filesize
1.8MB

Download
memory/1404-19-0x00007FFC77DE0000-0x00007FFC788A1000-memory.dmp

Filesize
10.8MB

Download