afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046

Resubmissions

28/07/2024, 09:32

240728-lh334stalh 10

28/07/2024, 09:29

240728-lf31bsshnd 10

Analysis

max time kernel
149s
max time network
156s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28/07/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.exe
Size

913KB
MD5

4c30c907584baa7c1931a3a83ba69149
SHA1

09d3887d9895189a49930a61aea8c788b1ad1c0e
SHA256

afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046
SHA512

1f581850f9722153d760f6a0f125b71aae3b87546c851a26674cc37ec76b13e39f8abc93a77e1d32fdfe906fa80945fbfb9774cb002dadd922b629879c9246cc
SSDEEP

24576:1Eqr4MROxnF25bYmfFhQ3rZlI0AilFEvxHil71B:1EjMiz3rZlI0AilFEvxHi

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	windows.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	windows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
1	0.tcp.eu.ngrok.io

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	windows.exe
File opened for modification	C:\Windows\assembly	windows.exe
File created	C:\Windows\assembly\Desktop.ini	windows.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe
2064	windows.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	windows.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 4780	2064	windows.exe	75
PID 2064 wrote to memory of 4780	2064	windows.exe	75
PID 4780 wrote to memory of 1520	4780	csc.exe	77
PID 4780 wrote to memory of 1520	4780	csc.exe	77

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xgqs3dcz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80CA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC80C9.tmp"
    3⤵
    PID:1520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES80CA.tmp

Filesize
1KB

MD5
f4f0ed8492c1ba383293b3729f136b6b

SHA1
0182dfd5963bd141863fce6ef37abb4b502edfee

SHA256
f45a303a69b994b1b32dc54aa2b3036b194210a3be6f1dfddc9e8d79de2b4c91

SHA512
8d9d861f788bd19668e6c7ef0990c056079bd3078854af76d267de636902281453bf28ae0d9f1fcc04a1be770b1cb8ce9ca4c580f7a1b4fb8cada397483a92cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgqs3dcz.dll

Filesize
76KB

MD5
e1ea6243ac9742df669b09ad76d35db3

SHA1
b3195d021cf23e44f64eba8e9bb1d7e4a5fc4182

SHA256
736092a31b509eee5584d2e57fa4de948d6d7e6b9f961792f3b031f1ef71d1c5

SHA512
8f5cae8722039c0c6e01d16447f6a6d308a5e8e3afc762f43682cc4181369a575b7a356799d88267c8ea318a5b8ad466d924849db7c06427d27555398d867991

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC80C9.tmp

Filesize
676B

MD5
afe8f49ddf49565483551268b16e408d

SHA1
e6e9149b22e61100ae1570d6dc661c30defc3d57

SHA256
8e6641506096bd457900180bc6195ee9f5beffc53095c013bc86265a38ba99db

SHA512
31accfda8236044087298ed65577a049b1052c437a153105b07a6efb6d9fdb5aec6b3a62890c1e0e6800b5e270e6890e34a5b40a1f52bf1c2cbf48bfda9da30c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xgqs3dcz.0.cs

Filesize
208KB

MD5
f201c369bd623242f3289ff8ae83bf23

SHA1
e428d3d830ffd01d3092268c31e9a05ffcac8b1e

SHA256
85e622a42ea3dbe1d673f8b378837bf4019ad3176a3ff87328235d3d575fb1f5

SHA512
8afb0240ad91863c8764a2e7dbfd8f74e4fd71c68b9c3753f948268542fe44789b7b84a32aae106ba057dcac89ff19dd6dd79e76097837b0c2642bfbbc5fa232

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xgqs3dcz.cmdline

Filesize
349B

MD5
cd2390773df697e4aee6ed93d3b34577

SHA1
9ec4b1f5664d889eff0aa03c69029b88229a0872

SHA256
b982346865abd9939ca20e0957aaa562095b8a47e5f54f6e91813f8a3749e31e

SHA512
a449f1f0402aeadfe4152d906d2a163f5131d7a1257f76c204ffd950b10319b9439a8773cfea77a83ade20144c5c06053143f54f4803842b287562f6c6da6bef

Download Submit
memory/2064-26-0x0000000002D30000-0x0000000002D38000-memory.dmp

Filesize
32KB

Download
memory/2064-30-0x000000001DF40000-0x000000001E030000-memory.dmp

Filesize
960KB

Download
memory/2064-7-0x000000001C130000-0x000000001C5FE000-memory.dmp

Filesize
4.8MB

Download
memory/2064-6-0x000000001BA40000-0x000000001BA4E000-memory.dmp

Filesize
56KB

Download
memory/2064-49-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download
memory/2064-3-0x000000001B970000-0x000000001B9CC000-memory.dmp

Filesize
368KB

Download
memory/2064-2-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download
memory/2064-48-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download
memory/2064-1-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download
memory/2064-23-0x000000001BBF0000-0x000000001BC06000-memory.dmp

Filesize
88KB

Download
memory/2064-25-0x0000000002D50000-0x0000000002D62000-memory.dmp

Filesize
72KB

Download
memory/2064-0-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download
memory/2064-27-0x000000001B960000-0x000000001B968000-memory.dmp

Filesize
32KB

Download
memory/2064-28-0x000000001D020000-0x000000001D082000-memory.dmp

Filesize
392KB

Download
memory/2064-29-0x000000001D980000-0x000000001DF3A000-memory.dmp

Filesize
5.7MB

Download
memory/2064-8-0x000000001C600000-0x000000001C69C000-memory.dmp

Filesize
624KB

Download
memory/2064-31-0x000000001CC80000-0x000000001CC9E000-memory.dmp

Filesize
120KB

Download
memory/2064-32-0x000000001E030000-0x000000001E079000-memory.dmp

Filesize
292KB

Download
memory/2064-33-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download
memory/2064-34-0x000000001E100000-0x000000001E170000-memory.dmp

Filesize
448KB

Download
memory/2064-35-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download
memory/2064-37-0x000000001E2B0000-0x000000001E2C8000-memory.dmp

Filesize
96KB

Download
memory/2064-38-0x000000001BA50000-0x000000001BA60000-memory.dmp

Filesize
64KB

Download
memory/2064-39-0x000000001D1A0000-0x000000001D1A8000-memory.dmp

Filesize
32KB

Download
memory/2064-42-0x000000001F2D0000-0x000000001F40C000-memory.dmp

Filesize
1.2MB

Download
memory/2064-45-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download
memory/2064-46-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download
memory/2064-47-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-21-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-14-0x00007FF84F670000-0x00007FF84F84B000-memory.dmp

Filesize
1.9MB

Download