ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0

Analysis

max time kernel
132s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 14:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.exe
Size

28KB
MD5

dd6d09e0e565ea18b85a18af8e95eb75
SHA1

5b1b9593baa56dbe43e9bbbeda576727697e7101
SHA256

ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0
SHA512

54e787e49c8d7008cdef0822136bd93854aa8b7dcfa7fa844f7ce7e44177c65daa0c6679f3596d3fecb24b615e9867ef16201571e4f00f331b4e546c81c703b4
SSDEEP

768:WKATpdDhsNNNCcJhC1SE4q1AG6Eaqi6s:U3t1aq1AEaqPs

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.lnk	ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1348	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4224	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4292	ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.exe
4292	ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 4224	4292	ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.exe	98
PID 4292 wrote to memory of 4224	4292	ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.exe	98
PID 4292 wrote to memory of 1348	4292	ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.exe	102
PID 4292 wrote to memory of 1348	4292	ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.exe	102

C:\Users\Admin\AppData\Local\Temp\ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.exe
"C:\Users\Admin\AppData\Local\Temp\ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\System32\systeminfo.exe
  "C:\Windows\System32\systeminfo.exe"
  2⤵
  - Gathers system information
  PID:4224
- C:\Windows\System32\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4292-0-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/4292-1-0x00007FFD6C170000-0x00007FFD6CC31000-memory.dmp

Filesize
10.8MB

Download
memory/4292-2-0x000000001B110000-0x000000001B120000-memory.dmp

Filesize
64KB

Download
memory/4292-3-0x00007FFD6C170000-0x00007FFD6CC31000-memory.dmp

Filesize
10.8MB

Download
memory/4292-4-0x000000001B110000-0x000000001B120000-memory.dmp

Filesize
64KB

Download