066594dcff87322e72f9cc5e1c507c91607d1c32ae355849eceee0c0c5a5d073

Resubmissions

31-05-2024 17:07

240531-vm8c3aff22 7

28-05-2024 14:45

240528-r45fysad93 10

Analysis

max time kernel
48s
max time network
16s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inv.exe
Size

961KB
MD5

76531d39883b68c043629aa10630d089
SHA1

824d18f09010dbaa411dbc6680e7e4bb7d7d646b
SHA256

ace8278c3113b551c6f87599c9a7d64724b55293fc64312a8c042585b07f75f8
SHA512

7cef89bff08fc07a31c63e20310e9bc75f12c53f4480ba4c9c9fb218af2e86e5881683c45696b3afab7c91223b45622b953c547a1eccbbf04b00756cdc29a9c1
SSDEEP

24576:bxLgu0WUD1HOYMXj/V0fX38g1yGQoxqW2T:bF5W1HOYGVqf17QoxW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

app.exe

pid process

2712 app.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2456 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2712	app.exe

pid	process
2456	cmd.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

inv.exeapp.exe

description	pid	process
Token: SeDebugPrivilege	2368	inv.exe
Token: 33	2368	inv.exe
Token: SeIncBasePriorityPrivilege	2368	inv.exe
Token: SeDebugPrivilege	2712	app.exe
Token: 33	2712	app.exe
Token: SeIncBasePriorityPrivilege	2712	app.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

inv.execmd.exe

description	pid	process	target process
PID 2368 wrote to memory of 2580	2368	inv.exe	cmd.exe
PID 2368 wrote to memory of 2580	2368	inv.exe	cmd.exe
PID 2368 wrote to memory of 2580	2368	inv.exe	cmd.exe
PID 2368 wrote to memory of 2580	2368	inv.exe	cmd.exe
PID 2368 wrote to memory of 2456	2368	inv.exe	cmd.exe
PID 2368 wrote to memory of 2456	2368	inv.exe	cmd.exe
PID 2368 wrote to memory of 2456	2368	inv.exe	cmd.exe
PID 2368 wrote to memory of 2456	2368	inv.exe	cmd.exe
PID 2456 wrote to memory of 2712	2456	cmd.exe	app.exe
PID 2456 wrote to memory of 2712	2456	cmd.exe	app.exe
PID 2456 wrote to memory of 2712	2456	cmd.exe	app.exe
PID 2456 wrote to memory of 2712	2456	cmd.exe	app.exe

C:\Users\Admin\AppData\Local\Temp\inv.exe
"C:\Users\Admin\AppData\Local\Temp\inv.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\inv.exe" "C:\Users\Admin\Videos\app.exe"
  2⤵
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Videos\app.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\Videos\app.exe
    "C:\Users\Admin\Videos\app.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Videos\app.exe

Filesize
961KB

MD5
76531d39883b68c043629aa10630d089

SHA1
824d18f09010dbaa411dbc6680e7e4bb7d7d646b

SHA256
ace8278c3113b551c6f87599c9a7d64724b55293fc64312a8c042585b07f75f8

SHA512
7cef89bff08fc07a31c63e20310e9bc75f12c53f4480ba4c9c9fb218af2e86e5881683c45696b3afab7c91223b45622b953c547a1eccbbf04b00756cdc29a9c1

Download Submit
memory/2368-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/2368-1-0x00000000000D0000-0x00000000001C8000-memory.dmp

Filesize
992KB

Download
memory/2368-2-0x0000000004760000-0x000000000480A000-memory.dmp

Filesize
680KB

Download
memory/2368-3-0x00000000003E0000-0x0000000000410000-memory.dmp

Filesize
192KB

Download
memory/2368-4-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2368-5-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/2368-6-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/2368-7-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/2368-8-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2368-14-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-15-0x0000000000990000-0x0000000000A88000-memory.dmp

Filesize
992KB

Download