Analysis
-
max time kernel
131s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28-07-2024 09:29
Behavioral task
behavioral1
Sample
windows.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
windows.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
windows.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
windows.exe
Resource
win11-20240709-en
General
-
Target
windows.exe
-
Size
913KB
-
MD5
4c30c907584baa7c1931a3a83ba69149
-
SHA1
09d3887d9895189a49930a61aea8c788b1ad1c0e
-
SHA256
afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046
-
SHA512
1f581850f9722153d760f6a0f125b71aae3b87546c851a26674cc37ec76b13e39f8abc93a77e1d32fdfe906fa80945fbfb9774cb002dadd922b629879c9246cc
-
SSDEEP
24576:1Eqr4MROxnF25bYmfFhQ3rZlI0AilFEvxHil71B:1EjMiz3rZlI0AilFEvxHi
Malware Config
Signatures
-
Drops desktop.ini file(s) 2 IoCs
Processes:
windows.exedescription ioc Process File created C:\Windows\assembly\Desktop.ini windows.exe File opened for modification C:\Windows\assembly\Desktop.ini windows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Drops file in Windows directory 3 IoCs
Processes:
windows.exedescription ioc Process File created C:\Windows\assembly\Desktop.ini windows.exe File opened for modification C:\Windows\assembly\Desktop.ini windows.exe File opened for modification C:\Windows\assembly windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
windows.exedescription pid Process Token: SeDebugPrivilege 2760 windows.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
windows.execsc.exedescription pid Process procid_target PID 2760 wrote to memory of 2684 2760 windows.exe 74 PID 2760 wrote to memory of 2684 2760 windows.exe 74 PID 2684 wrote to memory of 2780 2684 csc.exe 76 PID 2684 wrote to memory of 2780 2684 csc.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_kvjrunu.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8629.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8618.tmp"3⤵PID:2780
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50a18933a1a054667c55c3e07fe756a0e
SHA1aa91883d3960f9704f3d19e16a645f9d30f8b308
SHA256b63ed8a4e73971a751667c5f24d48046ab245ff9a44d690ab4849573a7f7303a
SHA512ff460b3f710f30421525396f42b914051f6c040ddc68d88791674dd04fad8e98563907a8d9f8c28004b3188ff6a5a65ebaa1919497eb1dd401f6ecc9af365657
-
Filesize
76KB
MD5d74db40934e0b11dd4a42a9938422d68
SHA1368e0c34d9582609e110ce8949a35d8d21b1e8c8
SHA256b4f1234743d50d61a168110fc5df31184f00a895fe2ddfda36efaf3956e0f36e
SHA512d9be29cadd4a073ffa9c138d54739d443539261040f8b647170f6a8d5fdc5671f37bcea2a0ef611a30b9c373c71f52dbe252eff3c60154a636a7229d82d0dcdd
-
Filesize
676B
MD5dd5041af799e9904ff1c46c3c786668d
SHA10e6db56fb1ce0c22f1f9521222493d392a9b91fd
SHA2568e304d1c6f87cd462b5bd85be4c3cc8e389ded2e4c7cd892f2f6a11630bce59a
SHA512a839b8b43caf25578a22ed24f575cfb05f614d4bc6239ef70a4fe0ade5147b3f6a186e590458a79679b1326807a6b7f1c5676df95ba7f6e19c74d5df76035a41
-
Filesize
208KB
MD520c3202d2f363953cbb7aeca64ce87e5
SHA1c2b321c2511934cc2249a1760508e50ba9ee2f26
SHA256e497581ea80ab25a448e72b9aec48749dfeda7f7716521619f1f6d2564ac1392
SHA5127724585b84600fb9f2ce1d0e4514f45eb982c4efe085efd8d7b9321e4d0abbb8e683fc3f21c02571c64443e2034bd4a8614b8edc045d1994e44f37729a970a69
-
Filesize
349B
MD531183a4e644862c7d0afccb1d3a793da
SHA16a710af411910891ba1eeeedfcd8fc480c470bac
SHA2568788285f7a20712e34b7b14442bfdd3c53117d9ba339f84fd8c18f6bc2438230
SHA512926657e19b2680b76b3700253f833c965a66d076bf644399a539bfa2f8bb02a1531cc0828304a7125bc0827873aeb65479ca75eab9b77226e95a466431c391f2