Analysis
-
max time kernel
149s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 09:29
Behavioral task
behavioral1
Sample
windows.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
windows.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
windows.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
windows.exe
Resource
win11-20240709-en
General
-
Target
windows.exe
-
Size
913KB
-
MD5
4c30c907584baa7c1931a3a83ba69149
-
SHA1
09d3887d9895189a49930a61aea8c788b1ad1c0e
-
SHA256
afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046
-
SHA512
1f581850f9722153d760f6a0f125b71aae3b87546c851a26674cc37ec76b13e39f8abc93a77e1d32fdfe906fa80945fbfb9774cb002dadd922b629879c9246cc
-
SSDEEP
24576:1Eqr4MROxnF25bYmfFhQ3rZlI0AilFEvxHil71B:1EjMiz3rZlI0AilFEvxHi
Malware Config
Signatures
-
Drops desktop.ini file(s) 2 IoCs
Processes:
windows.exedescription ioc Process File opened for modification C:\Windows\assembly\Desktop.ini windows.exe File created C:\Windows\assembly\Desktop.ini windows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Drops file in Windows directory 3 IoCs
Processes:
windows.exedescription ioc Process File opened for modification C:\Windows\assembly windows.exe File created C:\Windows\assembly\Desktop.ini windows.exe File opened for modification C:\Windows\assembly\Desktop.ini windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
windows.exedescription pid Process Token: SeDebugPrivilege 4604 windows.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
windows.execsc.exedescription pid Process procid_target PID 4604 wrote to memory of 1872 4604 windows.exe 87 PID 4604 wrote to memory of 1872 4604 windows.exe 87 PID 1872 wrote to memory of 2080 1872 csc.exe 89 PID 1872 wrote to memory of 2080 1872 csc.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a0cs2sej.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE4B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE4A.tmp"3⤵PID:2080
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a7f81a92f7666f8aeaf5b0f48d668df6
SHA1502c3be3598f29eb9c0f2cd0a15cfb45f29e356f
SHA2567279f6fae7a5140e96e4b03a6a7a91dbab415b72f44af26fb8585b867fb622ef
SHA512a19c5053da1723d8e070e412f47f653d521d9204c5f92a3c88281f38c1f3627643da4f06aec16f5c7c43b09320b1393505b94f1a59aeb019f83047f11e103502
-
Filesize
76KB
MD525f9649ac4f783703e45fe5483aa85e7
SHA1fbede0b641d104767721851bce5ba9a80e1adacb
SHA25694229d34d99134de7e9552c78d3261236e2b123337be5b02aa4853e15733413a
SHA512c28a6325742e5eb1af40572a9db1b228077db92df193b1b91f9fbd78f1e49912d63a282143f68803107b5e44485e6c81aae2eea331e8aefd760ecf4f46e25abd
-
Filesize
676B
MD5ff48254b251051d967161e814c0c2b66
SHA17374e142fec9e0f8eecbf5ad5a6edc9169872e11
SHA2561102039163498fafd28b34adf551551a0057cf31841046c2bbd6689cc8a279e5
SHA51288415880ed8333c09ec356c71886ea6ad5696b9392016f9bc78ec3ee3c7715b9c279d5c020114c586cb1a2d4636931ad34e84b1707ce69833f1d54ad502fe23f
-
Filesize
208KB
MD564e43cf598e24b19939a6831b8ec9849
SHA16efd0b89958568d0b5ee4e449abb078dcb63260b
SHA25662269db331e568956e4be5f665b6e5c1a414363f177aee486ae61f89c177b904
SHA5123f1cf646275d93c5f998dc56c13a40194f1314303251ce8fa0e90ffea18f906069724417a658e060d87d7712cfcba85a542ec1ed815effffe6e930ad5f207714
-
Filesize
349B
MD55b50a8686dfa977964d8d4e7dab4f8b4
SHA169d66a2aa606801cbea01ac14f6201dd19b5a2ea
SHA256acfdb1e2a3c5f2f791abeb816736d741be3ddff3f4797dc45dbe3affcfc03c8b
SHA51267daa1bc79f5b239d9f00b1317f5ab51af7a9e96e270bae54f73c6e3278d88574b2bfddf4d7d85985f26ef3b6910e85d89a454d5eaf7bf73c90a77c9469868b2