d00b96985ef370d873d5028611c31f1eac1f858347bf1c6982b3bb9e05626f3e

Analysis

max time kernel
126s
max time network
136s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 17:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.4MB
MD5

4d08af475012207281e72894a09dde3b
SHA1

660addb2bb6e25b734892ff6b4b55f5ee412f7a0
SHA256

d00b96985ef370d873d5028611c31f1eac1f858347bf1c6982b3bb9e05626f3e
SHA512

bbb1000b340e2c94d7444dd7162cf53d0526fa9f10c50367f21b17c12e196ba0f993b373be909dc66c5894e5f75f61e57f2bf9bde341f777008b1fa77a232f5b
SSDEEP

24576:C/bW5bWpIFLX5ewNIFLX5ncTqTwBCY8K67FWV3G7X2/pk52pQ:C6IO5ewy5cawBCVls82/pk52p

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2372	tmp.exe
2372	tmp.exe
2216	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	tmp.exe
Token: SeDebugPrivilege	2216	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2216	2372	tmp.exe	28
PID 2372 wrote to memory of 2216	2372	tmp.exe	28
PID 2372 wrote to memory of 2216	2372	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
169B

MD5
f260d997847031123b867315e786a3d6

SHA1
615bbfa05aa7eb9ae9fe02ebf757265d76a08a5a

SHA256
26c9afc6ec388c82deb202d2fdb8851eb5a1f8c612d134f7d930ddc78f59a60b

SHA512
a8fc78cd1d98dba42710bb2fc4a6678957dc0d90c9d7b3a6856b0c4ed833b49cd720e4cc8991a37fbcff0a79beb2254bbbbdf3a513c9a1e153d47f837c94e579

Download Submit
memory/2216-22-0x0000000001F20000-0x0000000001F28000-memory.dmp

Filesize
32KB

Download
memory/2216-28-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-27-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2216-26-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2216-25-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2216-24-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-21-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2216-23-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-14-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2372-16-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/2372-0-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-3-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/2372-2-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/2372-1-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-31-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-32-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/2372-33-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-34-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/2372-35-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download