1e424f3f293d95d0a8872bfcb7be47504095c829b79c27cfa018e7faa4e153eb

Analysis

max time kernel
1482s
max time network
1494s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
22/05/2024, 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

compile.exe
Size

89KB
MD5

5e4d4451e6f835e215758a4ea771b8b2
SHA1

ffb9e9f923416a9ba13c3bb6495d9d775060d66d
SHA256

1e424f3f293d95d0a8872bfcb7be47504095c829b79c27cfa018e7faa4e153eb
SHA512

4c0380d2e650a25c6b24af9e8f27898db00438af11b2961c25eae6224d14f4c32990bd2748f39e4e62e1d3058c614693567955ce44d8347a9040bc83468fd0e8
SSDEEP

1536:77fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfBw5:X7DhdC6kzWypvaQ0FxyNTBfBI

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1112	powershell.exe
1112	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 3580	2836	compile.exe	81
PID 2836 wrote to memory of 3580	2836	compile.exe	81
PID 3580 wrote to memory of 1112	3580	cmd.exe	82
PID 3580 wrote to memory of 1112	3580	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\compile.exe
"C:\Users\Admin\AppData\Local\Temp\compile.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\707D.tmp\707E.tmp\707F.bat C:\Users\Admin\AppData\Local\Temp\compile.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell C:\Users\Admin\AppData\Roaming\rvrs-shell.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\707D.tmp\707E.tmp\707F.bat

Filesize
64B

MD5
5159e1b81afad67bc72adb9683f6161e

SHA1
6852d8e21571f35402ea5680f4f29f34eea897c0

SHA256
1c911f2499909c433d375b7cf6d818601269337a08757eeb86c58420eece4d26

SHA512
25c36a92db43a78f5b194a88e72641f5ee24133fa443c41c2a5cb08d3b37a59a085cf5347e79edb5eac70933ce268e5efe0d6b534ced7af02b48272666f95365

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p53qdqx4.3o2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\rvrs-shell.ps1

Filesize
153B

MD5
3eac151ef6e59f46c893c8a9061f8f08

SHA1
48866a4e8490007f29879f866bef80e1d07b86ef

SHA256
8c9ea25d89f9aec9e4a93c8a5b422ac81502cf94c9579f1ebc74446476e498b4

SHA512
363576a172f7b01fe71c029b913788408c13d971bac1630ab0d89a07f6d9131b7ff81042efb7bb0b58b0ca49ed0c02f570a2b8a67b910b47ed5ac525b1680c9d

Download Submit
memory/1112-4-0x00007FFFF6013000-0x00007FFFF6015000-memory.dmp

Filesize
8KB

Download
memory/1112-13-0x0000028FF27E0000-0x0000028FF2802000-memory.dmp

Filesize
136KB

Download
memory/1112-14-0x00007FFFF6010000-0x00007FFFF6AD2000-memory.dmp

Filesize
10.8MB

Download
memory/1112-16-0x00007FFFF6010000-0x00007FFFF6AD2000-memory.dmp

Filesize
10.8MB

Download
memory/1112-17-0x00007FFFF6010000-0x00007FFFF6AD2000-memory.dmp

Filesize
10.8MB

Download
memory/1112-20-0x00007FFFF6010000-0x00007FFFF6AD2000-memory.dmp

Filesize
10.8MB

Download
memory/1112-21-0x00007FFFF6010000-0x00007FFFF6AD2000-memory.dmp

Filesize
10.8MB

Download