d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4

Analysis

max time kernel
195s
max time network
255s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-04-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe
Size

552KB
MD5

0f5235116df283e424268f99bb1806fd
SHA1

a79cd569110deffbfbda863b78de3e8f999d5a57
SHA256

d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4
SHA512

f956b363540595d70ec7a8e49e0baeb4980f4432ad286abe0ee19d7bf171f9f448d347c717e4697f3408a9fc7c9ed46eba56f5d9964396abfdfe58b129c7cc96
SSDEEP

12288:JKuTqUpDsCidKbHs/IJZDsK18ENeUsBV+ai4:JK89p4Ci+HsQD4K1W+n4

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8M6i6spL3wEwyVMhijQsoX8d.bat	AddInProcess32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 2668	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	73

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe
Token: SeDebugPrivilege	2668	AddInProcess32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2668	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	73
PID 2520 wrote to memory of 2668	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	73
PID 2520 wrote to memory of 2668	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	73
PID 2520 wrote to memory of 2668	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	73
PID 2520 wrote to memory of 2668	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	73
PID 2520 wrote to memory of 2668	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	73
PID 2520 wrote to memory of 2668	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	73
PID 2520 wrote to memory of 2668	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	73
PID 2520 wrote to memory of 4100	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	74
PID 2520 wrote to memory of 4100	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	74
PID 2520 wrote to memory of 4100	2520	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	74

C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe
"C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\EObJpSFjObof36RIntTgJSGR.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
memory/2520-0-0x0000022595590000-0x00000225955C6000-memory.dmp

Filesize
216KB

Download
memory/2520-1-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-2-0x00000225971D0000-0x00000225971E0000-memory.dmp

Filesize
64KB

Download
memory/2520-3-0x0000022597140000-0x000002259719E000-memory.dmp

Filesize
376KB

Download
memory/2520-13-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-14-0x00000225971D0000-0x00000225971E0000-memory.dmp

Filesize
64KB

Download
memory/2668-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-5-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-6-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/2668-15-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-16-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download