c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6

Analysis

max time kernel
140s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe
Size

1.4MB
MD5

d3217232f5c506e5ba6701c40a7ae12c
SHA1

d56fd079d67aad557b9f70fb2f94ab823ced8eaa
SHA256

c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6
SHA512

d75bb8e6ed3378ba445df7cdfe80c726032d4b068f75fec10e52030e7879346ff83e3e4995fb074518309323fd4eb977ba98b8d471cb9d383fe28ac7ed4d37e7
SSDEEP

24576:wKnTIDPyaRQ35lgY+084Zy6W4WYtVm/BR8R3I9aRtZG1MO4EasFmY3pV49bcd:Qi39+084E6W4W8Vm/B049aXZmMAbT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1836	sg.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeBackupPrivilege	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe
Token: SeRestorePrivilege	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe
Token: 33	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe
Token: SeIncBasePriorityPrivilege	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe
Token: 33	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe
Token: SeIncBasePriorityPrivilege	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe
Token: 33	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe
Token: SeIncBasePriorityPrivilege	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe
Token: SeRestorePrivilege	1836	sg.tmp
Token: 35	1836	sg.tmp
Token: SeSecurityPrivilege	1836	sg.tmp
Token: SeSecurityPrivilege	1836	sg.tmp
Token: 33	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe
Token: SeIncBasePriorityPrivilege	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1624	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe	83
PID 2112 wrote to memory of 1624	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe	83
PID 2112 wrote to memory of 1836	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe	85
PID 2112 wrote to memory of 1836	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe	85
PID 2112 wrote to memory of 1836	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe	85
PID 2112 wrote to memory of 2812	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe	87
PID 2112 wrote to memory of 2812	2112	c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe	87

C:\Users\Admin\AppData\Local\Temp\c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe
"C:\Users\Admin\AppData\Local\Temp\c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\~7181138417544380612~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\c2dd0fc27a0cd14d2eb7f7d400221cb69b3f1d0a6e997e61ca3da4e2bf1efbb6.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~1384808882209120533"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\~1384808882209120533\Script_Run.bat" "
  2⤵
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~1384808882209120533\Script_Run.bat

Filesize
6KB

MD5
a04d3936e144709e7bb9d652174ab651

SHA1
7bc8d188a146a9b63b5a3e0ffccb8fa347549999

SHA256
ba4fb041982e66023bbd4d57305ec5f5d5c6d9c4c829eab910fa8584e403ed6e

SHA512
edd4aebd0876a747730709637f961c3ae97d2c0e6f22988b5ea7ee97839d6dafde6128c9a3ed5d67402a0ca6b36fcace75d0907e48299ca5ddd89492494a0a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7181138417544380612~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit