Analysis
-
max time kernel
195s -
max time network
257s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30/05/2024, 23:20
Static task
static1
Behavioral task
behavioral1
Sample
a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe
Resource
win10-20240404-en
General
-
Target
a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe
-
Size
539KB
-
MD5
9d4d3e9107fab87e6b86d8ad6cfc8244
-
SHA1
841e2183ebee75b32319ce7cf81f82f8d2ca3cea
-
SHA256
a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027
-
SHA512
e9da618fa873db7a2b5ab4813db6ef6bd0c2356c4682c9415b9b62dc192e1fc8e5fee423c698cc3695e665e2699664c68c8041746ad0e51753309a9bc21eecf3
-
SSDEEP
12288:v5d20CeBNGZiM1KVO0VeUOmC5sf52gpc/6ZpKS9fJsM9gQ07DG2iHh9v7zZwZE+t:xd20rwZiM1d0V78m4WL
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 4196 a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4196 set thread context of 1472 4196 a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe 73 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1472 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1472 MSBuild.exe Token: SeBackupPrivilege 1472 MSBuild.exe Token: SeSecurityPrivilege 1472 MSBuild.exe Token: SeSecurityPrivilege 1472 MSBuild.exe Token: SeSecurityPrivilege 1472 MSBuild.exe Token: SeSecurityPrivilege 1472 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4196 wrote to memory of 1472 4196 a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe 73 PID 4196 wrote to memory of 1472 4196 a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe 73 PID 4196 wrote to memory of 1472 4196 a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe 73 PID 4196 wrote to memory of 1472 4196 a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe 73 PID 4196 wrote to memory of 1472 4196 a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe 73 PID 4196 wrote to memory of 1472 4196 a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe 73 PID 4196 wrote to memory of 1472 4196 a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe 73 PID 4196 wrote to memory of 1472 4196 a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe"C:\Users\Admin\AppData\Local\Temp\a6516b7a67fd64731c893ad8ee12c2878673841cbb756a8e597812da52b08027.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
923KB
MD5e496eb04f812481319e7ebc5f64c253b
SHA1029b852d41223c4c246f51026acbf7b6b7856d28
SHA2561233aaf0fd000edcfaf0e4f96f1878fea2d8defab0d6c26cfae7167c21c4ba93
SHA512edb5becec9a2292e9c982eb7b1dfc0f0e473a1800425245738d689bec2b3ac3c4f21e8074a4308c38a21dbd77216242708302ed98feb128e8cbde818a6c0dd85