22281a51be5c6d5376c62f3776ec75f6d0f6a3347f285b25b7c42b6547767bb6 | Triage

Resubmissions

27-07-2024 16:33

240727-t2xz7syakn 3

27-07-2024 09:12

240727-k6lnassepb 3

Analysis

max time kernel
99s
max time network
112s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
27-07-2024 16:33

Sharing

Report Analysis Logs

General

Target

main.zip
Size

108.1MB
MD5

abb764be0fc24ce0452e4de817434261
SHA1

ff4cdd45d1ae259774858a027f3917ab8b2eaade
SHA256

22281a51be5c6d5376c62f3776ec75f6d0f6a3347f285b25b7c42b6547767bb6
SHA512

1948a0cf1ae699d9fd995151796a90a9cd956f22a3381f506d67a1588bcf924184cc6be5ef3b518d20cb3fbedea129bb0cbd341d1c508fdca99f49068662d9e8
SSDEEP

3145728:P1J68bdAW2bvc08yyMjitk6QeAdyRY6yitfI1H8:P1JqTbvMVMsk6Q7yK6E1H8

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4348	main.exe
4348	main.exe
1368	main.exe
1368	main.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	main.exe
Token: SeDebugPrivilege	1368	main.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4348	main.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1368	1120	cmd.exe	90
PID 1120 wrote to memory of 1368	1120	cmd.exe	90

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\main.zip
1⤵
PID:1424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4740

C:\Users\Admin\Documents\main\main\main.exe
"C:\Users\Admin\Documents\main\main\main.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\Documents\main\main\main.exe
  main.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1368-1-0x00007FF80A250000-0x00007FF80A4B3000-memory.dmp

Filesize
2.4MB

Download
memory/4348-0-0x00007FF80A250000-0x00007FF80A4B3000-memory.dmp

Filesize
2.4MB

Download