Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 22:26
Static task
static1
Behavioral task
behavioral1
Sample
47ce2c5a05ac010d548c2e2a6ef339fc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
47ce2c5a05ac010d548c2e2a6ef339fc.exe
Resource
win10v2004-20240319-en
General
-
Target
47ce2c5a05ac010d548c2e2a6ef339fc.exe
-
Size
97KB
-
MD5
47ce2c5a05ac010d548c2e2a6ef339fc
-
SHA1
aeb98a5cc3009b64227fe21a544b8b374e4ca8df
-
SHA256
5fd78503adde5d002081e1a3ea6332745bf71c9d82d5d387555fe164360875ea
-
SHA512
7f5ab54c2442ccdc6d2063f8d63950d82a3ba3c4fe54a9c609f049e382b58a03acd529c7d98fc462f3dbc53da013e0900d6fbb16e0d8b78afb6c3fe93fc739a6
-
SSDEEP
768:urItKyw5WHXfQmjIiIk9ecAaSMb965yX7DLdP3Lii:ur3Z5IfQmv81aZKyXXZPbii
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3028 attrib.exe -
Deletes itself 1 IoCs
pid Process 3040 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2788 rwmhost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Debug\rwmhost.exe 47ce2c5a05ac010d548c2e2a6ef339fc.exe File opened for modification C:\Windows\Debug\rwmhost.exe 47ce2c5a05ac010d548c2e2a6ef339fc.exe File opened for modification C:\Windows\Debug\rwmhost.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2080 47ce2c5a05ac010d548c2e2a6ef339fc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2080 wrote to memory of 3028 2080 47ce2c5a05ac010d548c2e2a6ef339fc.exe 28 PID 2080 wrote to memory of 3028 2080 47ce2c5a05ac010d548c2e2a6ef339fc.exe 28 PID 2080 wrote to memory of 3028 2080 47ce2c5a05ac010d548c2e2a6ef339fc.exe 28 PID 2080 wrote to memory of 3028 2080 47ce2c5a05ac010d548c2e2a6ef339fc.exe 28 PID 2080 wrote to memory of 3040 2080 47ce2c5a05ac010d548c2e2a6ef339fc.exe 31 PID 2080 wrote to memory of 3040 2080 47ce2c5a05ac010d548c2e2a6ef339fc.exe 31 PID 2080 wrote to memory of 3040 2080 47ce2c5a05ac010d548c2e2a6ef339fc.exe 31 PID 2080 wrote to memory of 3040 2080 47ce2c5a05ac010d548c2e2a6ef339fc.exe 31 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3028 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\47ce2c5a05ac010d548c2e2a6ef339fc.exe"C:\Users\Admin\AppData\Local\Temp\47ce2c5a05ac010d548c2e2a6ef339fc.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\attrib.exeattrib +a +s +h +r C:\Windows\Debug\rwmhost.exe2⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:3028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\47CE2C~1.EXE > nul2⤵
- Deletes itself
PID:3040
-
-
C:\Windows\Debug\rwmhost.exeC:\Windows\Debug\rwmhost.exe1⤵
- Executes dropped EXE
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD51b9b56bc2140dc9dec46b5ea543360d2
SHA166daf8381102543aba6dbcf8477be2ee03217cf5
SHA2569844633ada07037aeb06ede49e63ba4f9c17de151c3091d109c3cc56015ae12f
SHA512d2bcbcaee3d4c3e61ebb0b32dbe5f8aa3b9aac79ae0da4a42ef0cc0c810145bdfda2e22993b1cce07f91d79465363aec1877135ee0602838a1b131d8ebd10174