54e1cdbf7e60f98db79d8feaad1e80d879432094867e7057f67104787e5cb567

Analysis

max time kernel
92s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 22:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17e985b545a131de8586c09694c923c0N.exe
Size

3.3MB
MD5

17e985b545a131de8586c09694c923c0
SHA1

d4ad0d8d53421aae444fd62530e3a9f21e0b45b6
SHA256

54e1cdbf7e60f98db79d8feaad1e80d879432094867e7057f67104787e5cb567
SHA512

cad9840030cc7bac4ecded3377e760e2a9788385e2469bfd71819f85f43dd4ad827fe80fc2677f7159aa3139ee7cbdd3e696020e43e3034ae724294fedcde1f1
SSDEEP

98304:ppUlB+zO6kJdoZoli2WxGQZbNF63EBvRt3IjWaH:ppXzOY8iNhZRbBvu

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2804	tasklist.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	tasklist.exe
Token: SeBackupPrivilege	2648	Robocopy.exe
Token: SeRestorePrivilege	2648	Robocopy.exe
Token: SeSecurityPrivilege	2648	Robocopy.exe
Token: SeTakeOwnershipPrivilege	2648	Robocopy.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 2268	708	17e985b545a131de8586c09694c923c0N.exe	29
PID 708 wrote to memory of 2268	708	17e985b545a131de8586c09694c923c0N.exe	29
PID 708 wrote to memory of 2268	708	17e985b545a131de8586c09694c923c0N.exe	29
PID 708 wrote to memory of 2268	708	17e985b545a131de8586c09694c923c0N.exe	29
PID 2268 wrote to memory of 2804	2268	cmd.exe	31
PID 2268 wrote to memory of 2804	2268	cmd.exe	31
PID 2268 wrote to memory of 2804	2268	cmd.exe	31
PID 2268 wrote to memory of 2804	2268	cmd.exe	31
PID 2268 wrote to memory of 2420	2268	cmd.exe	32
PID 2268 wrote to memory of 2420	2268	cmd.exe	32
PID 2268 wrote to memory of 2420	2268	cmd.exe	32
PID 2268 wrote to memory of 2420	2268	cmd.exe	32
PID 2268 wrote to memory of 2648	2268	cmd.exe	34
PID 2268 wrote to memory of 2648	2268	cmd.exe	34
PID 2268 wrote to memory of 2648	2268	cmd.exe	34
PID 2268 wrote to memory of 2648	2268	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\17e985b545a131de8586c09694c923c0N.exe
"C:\Users\Admin\AppData\Local\Temp\17e985b545a131de8586c09694c923c0N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\martini\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq force.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\SysWOW64\find.exe
    find /I "force.exe"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\Robocopy.exe
    robocopy "\\10.8.20.151\share" "C:\Users\Admin\AppData\Local\Temp\martini\AntiVirus" /E
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\martini\1.bat

Filesize
757B

MD5
fdc816fb3d92e02c75f65b1372861f27

SHA1
78f86e7248492797101cb8e922f1f5e7f542d99f

SHA256
8a0cd4fb3542458849e20c547a684578dd7fdd4317021dacf5517f607f8ceea7

SHA512
8cb377e485f60fca32cb19690046836d7d42b6a5265b06f656a7a95fffc7e54356554d554228732028d46293e18bc82f53007e5b4a0944b991a6d5bacec55948

Download Submit