ca405bb07b82fed91ee0a261be31657ea5466add97225b0a9865c25311042939

Analysis

max time kernel
131s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe
Size

32KB
MD5

f5fca1b178af87bd48c7ea9e3f2c957b
SHA1

7a58fc9a14a7c4c0abaa8d9bae5d69e74a19762d
SHA256

47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399
SHA512

6ce8ee0ce49e2058aee2c0557e8ab6c1250dcefc4e8b4e451a07fb990a01051f8e0a5fb468f1d9b61b523ac481eaba11e501e2e5b45b2775a1be4428bca7cb37
SSDEEP

384:wnlkJzAQeFTaSO1CoRWQDwyErOfeYVTDj95Ssz95:wnlRbFm5AoR3XVTDj955z95

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ifconfig.me
4	ifconfig.me

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1432	net.exe
3420	net.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3768	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3084	systeminfo.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4616	wmic.exe
Token: SeSecurityPrivilege	4616	wmic.exe
Token: SeTakeOwnershipPrivilege	4616	wmic.exe
Token: SeLoadDriverPrivilege	4616	wmic.exe
Token: SeSystemProfilePrivilege	4616	wmic.exe
Token: SeSystemtimePrivilege	4616	wmic.exe
Token: SeProfSingleProcessPrivilege	4616	wmic.exe
Token: SeIncBasePriorityPrivilege	4616	wmic.exe
Token: SeCreatePagefilePrivilege	4616	wmic.exe
Token: SeBackupPrivilege	4616	wmic.exe
Token: SeRestorePrivilege	4616	wmic.exe
Token: SeShutdownPrivilege	4616	wmic.exe
Token: SeDebugPrivilege	4616	wmic.exe
Token: SeSystemEnvironmentPrivilege	4616	wmic.exe
Token: SeRemoteShutdownPrivilege	4616	wmic.exe
Token: SeUndockPrivilege	4616	wmic.exe
Token: SeManageVolumePrivilege	4616	wmic.exe
Token: 33	4616	wmic.exe
Token: 34	4616	wmic.exe
Token: 35	4616	wmic.exe
Token: 36	4616	wmic.exe
Token: SeIncreaseQuotaPrivilege	4616	wmic.exe
Token: SeSecurityPrivilege	4616	wmic.exe
Token: SeTakeOwnershipPrivilege	4616	wmic.exe
Token: SeLoadDriverPrivilege	4616	wmic.exe
Token: SeSystemProfilePrivilege	4616	wmic.exe
Token: SeSystemtimePrivilege	4616	wmic.exe
Token: SeProfSingleProcessPrivilege	4616	wmic.exe
Token: SeIncBasePriorityPrivilege	4616	wmic.exe
Token: SeCreatePagefilePrivilege	4616	wmic.exe
Token: SeBackupPrivilege	4616	wmic.exe
Token: SeRestorePrivilege	4616	wmic.exe
Token: SeShutdownPrivilege	4616	wmic.exe
Token: SeDebugPrivilege	4616	wmic.exe
Token: SeSystemEnvironmentPrivilege	4616	wmic.exe
Token: SeRemoteShutdownPrivilege	4616	wmic.exe
Token: SeUndockPrivilege	4616	wmic.exe
Token: SeManageVolumePrivilege	4616	wmic.exe
Token: 33	4616	wmic.exe
Token: 34	4616	wmic.exe
Token: 35	4616	wmic.exe
Token: 36	4616	wmic.exe
Token: SeIncreaseQuotaPrivilege	2388	WMIC.exe
Token: SeSecurityPrivilege	2388	WMIC.exe
Token: SeTakeOwnershipPrivilege	2388	WMIC.exe
Token: SeLoadDriverPrivilege	2388	WMIC.exe
Token: SeSystemProfilePrivilege	2388	WMIC.exe
Token: SeSystemtimePrivilege	2388	WMIC.exe
Token: SeProfSingleProcessPrivilege	2388	WMIC.exe
Token: SeIncBasePriorityPrivilege	2388	WMIC.exe
Token: SeCreatePagefilePrivilege	2388	WMIC.exe
Token: SeBackupPrivilege	2388	WMIC.exe
Token: SeRestorePrivilege	2388	WMIC.exe
Token: SeShutdownPrivilege	2388	WMIC.exe
Token: SeDebugPrivilege	2388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2388	WMIC.exe
Token: SeRemoteShutdownPrivilege	2388	WMIC.exe
Token: SeUndockPrivilege	2388	WMIC.exe
Token: SeManageVolumePrivilege	2388	WMIC.exe
Token: 33	2388	WMIC.exe
Token: 34	2388	WMIC.exe
Token: 35	2388	WMIC.exe
Token: 36	2388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2388	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 3284	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	83
PID 3552 wrote to memory of 3284	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	83
PID 3284 wrote to memory of 3768	3284	cmd.exe	85
PID 3284 wrote to memory of 3768	3284	cmd.exe	85
PID 3552 wrote to memory of 3980	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	86
PID 3552 wrote to memory of 3980	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	86
PID 3980 wrote to memory of 3084	3980	cmd.exe	88
PID 3980 wrote to memory of 3084	3980	cmd.exe	88
PID 3552 wrote to memory of 4668	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	94
PID 3552 wrote to memory of 4668	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	94
PID 4668 wrote to memory of 3140	4668	cmd.exe	96
PID 4668 wrote to memory of 3140	4668	cmd.exe	96
PID 3552 wrote to memory of 4652	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	97
PID 3552 wrote to memory of 4652	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	97
PID 4652 wrote to memory of 2236	4652	cmd.exe	99
PID 4652 wrote to memory of 2236	4652	cmd.exe	99
PID 3552 wrote to memory of 1832	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	100
PID 3552 wrote to memory of 1832	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	100
PID 1832 wrote to memory of 1432	1832	cmd.exe	102
PID 1832 wrote to memory of 1432	1832	cmd.exe	102
PID 3552 wrote to memory of 5048	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	109
PID 3552 wrote to memory of 5048	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	109
PID 5048 wrote to memory of 3420	5048	cmd.exe	111
PID 5048 wrote to memory of 3420	5048	cmd.exe	111
PID 3552 wrote to memory of 3100	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	112
PID 3552 wrote to memory of 3100	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	112
PID 3100 wrote to memory of 4232	3100	cmd.exe	114
PID 3100 wrote to memory of 4232	3100	cmd.exe	114
PID 4232 wrote to memory of 2712	4232	net.exe	115
PID 4232 wrote to memory of 2712	4232	net.exe	115
PID 3552 wrote to memory of 4616	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	116
PID 3552 wrote to memory of 4616	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	116
PID 3552 wrote to memory of 2192	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	118
PID 3552 wrote to memory of 2192	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	118
PID 2192 wrote to memory of 5024	2192	cmd.exe	120
PID 2192 wrote to memory of 5024	2192	cmd.exe	120
PID 5024 wrote to memory of 212	5024	net.exe	121
PID 5024 wrote to memory of 212	5024	net.exe	121
PID 3552 wrote to memory of 3384	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	122
PID 3552 wrote to memory of 3384	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	122
PID 3384 wrote to memory of 2388	3384	cmd.exe	124
PID 3384 wrote to memory of 2388	3384	cmd.exe	124
PID 3384 wrote to memory of 4476	3384	cmd.exe	125
PID 3384 wrote to memory of 4476	3384	cmd.exe	125
PID 3552 wrote to memory of 2140	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	126
PID 3552 wrote to memory of 2140	3552	47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe	126
PID 2140 wrote to memory of 4972	2140	cmd.exe	128
PID 2140 wrote to memory of 4972	2140	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe
"C:\Users\Admin\AppData\Local\Temp\47e9917ce0afc96632db5e95db2fd9aff10d05b0399fd05d02035eacb3c1f399.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\System32\cmd.exe
  /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3768
- C:\Windows\System32\cmd.exe
  /c systeminfo
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:3084
- C:\Windows\System32\cmd.exe
  /c nltest /domain_trusts
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts
    3⤵
    PID:3140
- C:\Windows\System32\cmd.exe
  /c nltest /domain_trusts /all_trusts
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:2236
- C:\Windows\System32\cmd.exe
  /c net view /all /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\system32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:1432
- C:\Windows\System32\cmd.exe
  /c net view /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:3420
- C:\Windows\System32\cmd.exe
  /c net group "Domain Admins" /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\system32\net.exe
    net group "Domain Admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group "Domain Admins" /domain
      4⤵
      PID:2712
- C:\Windows\System32\wbem\wmic.exe
  /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Windows\System32\cmd.exe
  /c net config workstation
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\system32\net.exe
    net config workstation
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config workstation
      4⤵
      PID:212
- C:\Windows\System32\cmd.exe
  /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\system32\findstr.exe
    findstr /V /B /C:displayName
    3⤵
    PID:4476
- C:\Windows\System32\cmd.exe
  /c whoami /groups
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\system32\whoami.exe
    whoami /groups
    3⤵
    PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads