130a2379f8f07cec2cd9935bdf67bfcfbb977327f89f017dc16f19efc871d864

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240709-fr
resource tags

arch:x64arch:x86image:win11-20240709-frlocale:fr-fros:windows11-21h2-x64systemwindows
submitted
20/07/2024, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Panel.exe
Size

12.1MB
MD5

85afedf22ca7d0561be4443e854459a7
SHA1

1fec08de68672a302f0df40ff30b22cee4d18057
SHA256

130a2379f8f07cec2cd9935bdf67bfcfbb977327f89f017dc16f19efc871d864
SHA512

e5229c4e67bc7d4ef8b53c94cfd017833797ecb52a93d71e9770ae50aaaa8e3e6c9b6433389f85255c2fe92bf94bdf1f6d1c49a01ac0809d7c8ccdb8c07dce03
SSDEEP

393216:+A+bVvdvbtsjjBbns3JX08gNghF5tAVsQsaBMvBVvrsV4ojavjdTbvosw+z6VVq1:+A+bVvdvbtsjjBbns3JX08gNghF5tAV8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1420	Panel.exe
4572	Panel.exe
1420	Panel.exe
4572	Panel.exe
1420	Panel.exe
4572	Panel.exe
1420	Panel.exe
4572	Panel.exe
1420	Panel.exe
4572	Panel.exe
1420	Panel.exe
4572	Panel.exe
1420	Panel.exe
1420	Panel.exe
1420	Panel.exe
1420	Panel.exe
2636	Panel.exe
1420	Panel.exe
2636	Panel.exe
1420	Panel.exe
2636	Panel.exe
1420	Panel.exe
2636	Panel.exe
1420	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1452	Panel.exe
1420	Panel.exe
1420	Panel.exe
1420	Panel.exe
4468	Panel.exe
1420	Panel.exe
4468	Panel.exe
1420	Panel.exe
4468	Panel.exe
1420	Panel.exe
4468	Panel.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	Panel.exe
Token: SeDebugPrivilege	4572	Panel.exe
Token: SeDebugPrivilege	2636	Panel.exe
Token: SeDebugPrivilege	1452	Panel.exe
Token: SeDebugPrivilege	4468	Panel.exe
Token: SeDebugPrivilege	4892	Panel.exe
Token: SeDebugPrivilege	1708	Panel.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4504	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 4572	1420	Panel.exe	77
PID 1420 wrote to memory of 4572	1420	Panel.exe	77
PID 1420 wrote to memory of 2636	1420	Panel.exe	82
PID 1420 wrote to memory of 2636	1420	Panel.exe	82
PID 1420 wrote to memory of 1452	1420	Panel.exe	87
PID 1420 wrote to memory of 1452	1420	Panel.exe	87
PID 1420 wrote to memory of 4468	1420	Panel.exe	90
PID 1420 wrote to memory of 4468	1420	Panel.exe	90
PID 1420 wrote to memory of 4892	1420	Panel.exe	93
PID 1420 wrote to memory of 4892	1420	Panel.exe	93
PID 1420 wrote to memory of 1708	1420	Panel.exe	96
PID 1420 wrote to memory of 1708	1420	Panel.exe	96

C:\Users\Admin\AppData\Local\Temp\Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Panel.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1708

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Panel.exe.log

Filesize
1KB

MD5
c7eb6cc6ed42aa4d66b34cc8574c8449

SHA1
be40237fc6355f40e35812ac68322827f49151cc

SHA256
dba6de21c58e1179f115af4732bd8e291831cd5bfb879444c5d7109bcf72743b

SHA512
6133c0fdfd97d22c5273cc09c43991c939421515558b40afdd4628fb65b734f67861910485c4cf0df2ad9bb5f244afdf5074fbe5858164af20d9121530b5edf9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
605569224afd9f1770eb9729da87be95

SHA1
959244c7a33bec1903439de3310f9a0d57561924

SHA256
cfa7d041b326734b56cea4549e6a6897e16bc5bda95665758879c2919b722768

SHA512
75659d6e46a1f62542970a5718ce320ac5b634b7e4f1a49ac20cc3aa8b9bd39db536bdb5b0e18ab6136e7901cec370a45a1ce8efdaac05f3e39c3ab2d3a4a890

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
f9c4f8d7739744b8ce2d1484f91ff266

SHA1
4327ac3116a0c41cd72f1b3bb8172aa382a292df

SHA256
3e7ef6fc55b0a603ba98160ce46a32c33f509c4fd7816cc287cd0ce8f4da898e

SHA512
4ee11a003200b6ad332e0f2d6a9b84abe96a1d312bfedda7e0d30ceafed9a38480e7e3015266c9fbcca6aa537fd12e37715f2306b21060467778c64a8ad070b0

Download Submit
memory/1420-0-0x00007FFFD5E43000-0x00007FFFD5E45000-memory.dmp

Filesize
8KB

Download
memory/1420-1-0x000001D430E30000-0x000001D431A44000-memory.dmp

Filesize
12.1MB

Download
memory/1420-2-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

Filesize
10.8MB

Download
memory/1420-29-0x00007FFFD5E43000-0x00007FFFD5E45000-memory.dmp

Filesize
8KB

Download
memory/1420-30-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

Filesize
10.8MB

Download
memory/4572-3-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

Filesize
10.8MB

Download
memory/4572-4-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

Filesize
10.8MB

Download
memory/4572-6-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

Filesize
10.8MB

Download
memory/4572-7-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

Filesize
10.8MB

Download