c550afead5678a5fe073b286200be7ffcd95664a9c088326b4d8270ce3a03433 | Triage

Analysis

max time kernel
31s
max time network
32s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 16:48

Sharing

Reason

Machine shutdown

Report Analysis Logs

General

Target

noclick.exe
Size

130KB
MD5

d3fc9af372067fc4fcaa3ba59e1d6b64
SHA1

9cfd82a2975f4fc39be88e5f35672f2fce43d2df
SHA256

c550afead5678a5fe073b286200be7ffcd95664a9c088326b4d8270ce3a03433
SHA512

be62819732a0d4ac2d277ef9c1ba1acd6cbdbdf3a50690d9b6b61e5c0a07ba5c9ad22e0093bd50487a9ca4dbac579f7946861d71fc514ef664bc0490e2978256
SSDEEP

1536:tgskaSHWaP1f4/XgHgf8HJPJsSvWh3kM5z8mdRvyLm+pPPAruINeVtbjBT0WpQA1:tgJIC1f4/D8ESAaJiu9OA

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2304	shutdown.exe
Token: SeRemoteShutdownPrivilege	2304	shutdown.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2944	2140	noclick.exe	29
PID 2140 wrote to memory of 2944	2140	noclick.exe	29
PID 2140 wrote to memory of 2944	2140	noclick.exe	29
PID 2944 wrote to memory of 2304	2944	cmd.exe	30
PID 2944 wrote to memory of 2304	2944	cmd.exe	30
PID 2944 wrote to memory of 2304	2944	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\noclick.exe
"C:\Users\Admin\AppData\Local\Temp\noclick.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown -r
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\shutdown.exe
    shutdown -r
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2304

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-0-0x000000013F6C0000-0x000000013F6E4000-memory.dmp

Filesize
144KB

Download
memory/2792-1-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2900-2-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download