f55ff667003f1cb9794a487a925a6c86e9043fda46ec2ab30f8926fd5f509f59

Resubmissions

14/06/2024, 18:10

240614-wr2xhs1dqa 8

14/06/2024, 18:03

240614-wmz75a1cjc 8

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Axiom Free Temp.exe
Size

168KB
MD5

461a1663734d622fc49e4a03b17d284d
SHA1

52505039993d7c19cc28debbaef474f5ab61c745
SHA256

f55ff667003f1cb9794a487a925a6c86e9043fda46ec2ab30f8926fd5f509f59
SHA512

b3c95a238ba90e72658cf2d0844f8d00dff13715110090d41031a15d0c35b082e857f5fdbc7c30deeda1164764f68bfa02fa4b89d522406c4b11b9dccca8b94d
SSDEEP

3072:Lhnks0n7phfmxymej1ic0UmJTQSaMm5/6aoP1D:1tU/mxyhjGvWljoP1D

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3432	WMIC.exe
Token: SeSecurityPrivilege	3432	WMIC.exe
Token: SeTakeOwnershipPrivilege	3432	WMIC.exe
Token: SeLoadDriverPrivilege	3432	WMIC.exe
Token: SeSystemProfilePrivilege	3432	WMIC.exe
Token: SeSystemtimePrivilege	3432	WMIC.exe
Token: SeProfSingleProcessPrivilege	3432	WMIC.exe
Token: SeIncBasePriorityPrivilege	3432	WMIC.exe
Token: SeCreatePagefilePrivilege	3432	WMIC.exe
Token: SeBackupPrivilege	3432	WMIC.exe
Token: SeRestorePrivilege	3432	WMIC.exe
Token: SeShutdownPrivilege	3432	WMIC.exe
Token: SeDebugPrivilege	3432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3432	WMIC.exe
Token: SeRemoteShutdownPrivilege	3432	WMIC.exe
Token: SeUndockPrivilege	3432	WMIC.exe
Token: SeManageVolumePrivilege	3432	WMIC.exe
Token: 33	3432	WMIC.exe
Token: 34	3432	WMIC.exe
Token: 35	3432	WMIC.exe
Token: 36	3432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3432	WMIC.exe
Token: SeSecurityPrivilege	3432	WMIC.exe
Token: SeTakeOwnershipPrivilege	3432	WMIC.exe
Token: SeLoadDriverPrivilege	3432	WMIC.exe
Token: SeSystemProfilePrivilege	3432	WMIC.exe
Token: SeSystemtimePrivilege	3432	WMIC.exe
Token: SeProfSingleProcessPrivilege	3432	WMIC.exe
Token: SeIncBasePriorityPrivilege	3432	WMIC.exe
Token: SeCreatePagefilePrivilege	3432	WMIC.exe
Token: SeBackupPrivilege	3432	WMIC.exe
Token: SeRestorePrivilege	3432	WMIC.exe
Token: SeShutdownPrivilege	3432	WMIC.exe
Token: SeDebugPrivilege	3432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3432	WMIC.exe
Token: SeRemoteShutdownPrivilege	3432	WMIC.exe
Token: SeUndockPrivilege	3432	WMIC.exe
Token: SeManageVolumePrivilege	3432	WMIC.exe
Token: 33	3432	WMIC.exe
Token: 34	3432	WMIC.exe
Token: 35	3432	WMIC.exe
Token: 36	3432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: 36	2516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3252	Axiom Free Temp.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 4476	3252	Axiom Free Temp.exe	84
PID 3252 wrote to memory of 4476	3252	Axiom Free Temp.exe	84
PID 3252 wrote to memory of 232	3252	Axiom Free Temp.exe	85
PID 3252 wrote to memory of 232	3252	Axiom Free Temp.exe	85
PID 3252 wrote to memory of 2380	3252	Axiom Free Temp.exe	89
PID 3252 wrote to memory of 2380	3252	Axiom Free Temp.exe	89
PID 3252 wrote to memory of 4392	3252	Axiom Free Temp.exe	90
PID 3252 wrote to memory of 4392	3252	Axiom Free Temp.exe	90
PID 3252 wrote to memory of 4016	3252	Axiom Free Temp.exe	91
PID 3252 wrote to memory of 4016	3252	Axiom Free Temp.exe	91
PID 3252 wrote to memory of 3340	3252	Axiom Free Temp.exe	92
PID 3252 wrote to memory of 3340	3252	Axiom Free Temp.exe	92
PID 3340 wrote to memory of 3432	3340	cmd.exe	93
PID 3340 wrote to memory of 3432	3340	cmd.exe	93
PID 3252 wrote to memory of 1244	3252	Axiom Free Temp.exe	95
PID 3252 wrote to memory of 1244	3252	Axiom Free Temp.exe	95
PID 1244 wrote to memory of 2516	1244	cmd.exe	96
PID 1244 wrote to memory of 2516	1244	cmd.exe	96
PID 3252 wrote to memory of 2736	3252	Axiom Free Temp.exe	97
PID 3252 wrote to memory of 2736	3252	Axiom Free Temp.exe	97
PID 2736 wrote to memory of 2132	2736	cmd.exe	98
PID 2736 wrote to memory of 2132	2736	cmd.exe	98
PID 3252 wrote to memory of 764	3252	Axiom Free Temp.exe	99
PID 3252 wrote to memory of 764	3252	Axiom Free Temp.exe	99
PID 764 wrote to memory of 4860	764	cmd.exe	100
PID 764 wrote to memory of 4860	764	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\Axiom Free Temp.exe
"C:\Users\Admin\AppData\Local\Temp\Axiom Free Temp.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 5
  2⤵
  PID:4476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic networkadapter get MACAddress
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic networkadapter get MACAddress
    3⤵
    PID:4860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2904

Windows 7 deprecation

Loading Replay Monitor...

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads