c48036b68d682fb92ab4396df06814dd5ec11dae0db508d07942d5598a77a753

Analysis

max time kernel
145s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/04/2024, 02:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

mmc.exe
Size

1.9MB
MD5

1627e5cc3fa0442af745d2fc2a0f7971
SHA1

ef4eba0e1ad45d9d10e9b94c9ea192a8b4755052
SHA256

c48036b68d682fb92ab4396df06814dd5ec11dae0db508d07942d5598a77a753
SHA512

5afb5cfcdff00b120962ee9cf26b7e140e9d433b5d04dc0d293aa1cd8edf70d83bf8bc3f7e033b4bd300f13bc7ddf3ecc35b74489e8366425b1a8cba84f7c3cd
SSDEEP

24576:xPBAnOQ4NIUYfRk/uTTajDthtMGr64D4spjosxMo7wMo7DH:zb9IRUuTYhhtwspJ7e7DH

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4588	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: 33	4588	mmc.exe
Token: SeIncBasePriorityPrivilege	4588	mmc.exe
Token: SeSecurityPrivilege	4588	mmc.exe
Token: SeSecurityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2136	mmc.exe
4588	mmc.exe
4588	mmc.exe
4440	mmc.exe
4440	mmc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4588	4000	eventvwr.exe	80
PID 4000 wrote to memory of 4588	4000	eventvwr.exe	80

C:\Users\Admin\AppData\Local\Temp\mmc.exe
"C:\Users\Admin\AppData\Local\Temp\mmc.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4184

C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4588

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mmc.exe.log

Filesize
1KB

MD5
f2ba3fa49fb18cc19ed5fab022387a40

SHA1
0593f532758db4a70b54163c7d94f85b033a9040

SHA256
744e9f3871ab3582574b8f2bd69a31392186bf703606bb3d4913e4d97eb3a91e

SHA512
176cfc54ddaa0c5e00a0283f44a69265fee8a8720ae1d41e3c1306fa5fdbaba582ada671246d34309388446558e0501f9b2dfa4c52571f684398b8d4bc17ad00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Event Viewer\RecentViews

Filesize
105B

MD5
785fb8e1b562e2fcc8c0c0c6572ee3d7

SHA1
71aab53ea530b694914037520a825d553caa0928

SHA256
5607b57c3c58070f54b8f68fa22808f9ad14c60bbf05f00da92a162585c3c562

SHA512
6710bb3d2cc4c560e57e0d087fa369fe1e43e537e178e5ebc417871b1a09beabc471d5cd1babcaf260a82563cbfb7b38903c46c3b4c211550d7365138214551c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Event Viewer\Settings.Xml

Filesize
109B

MD5
884320a9b8f018f309f5a96107133f89

SHA1
102e8a8f3c91a10d9d670e0b3715bd2e0acee5ff

SHA256
50fd9d76d1c43bb16b166de02aaf8adec09eb5bc4cefdca9d1af2e0f7b1d8f64

SHA512
b815fcbd7263b6667f01478b955f9734b1bddbcd7ca8e62ef8ff1ec46ed99931ba466c976ac781f1bd899125571585d580f6f232cc37b8e9ed87935981b99b78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\eventvwr

Filesize
135KB

MD5
74fad72a588f3f5cce904338fe2ac722

SHA1
f2d9027c1c68636678df9d44595c43cbce11787a

SHA256
a047545c4366dc6b3266d858960d1311916c1d5c70ad60806d550e00de9f2dd3

SHA512
da74de2e5a890724a8a826ca24797441d5d2c4944f69ab8f40d400bf172cb97bc6262cbc79de6c59ccc8dc5f89e59306fe4d667935200399ebc3eea8f67945a1

Download Submit