afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046

Resubmissions

28/07/2024, 09:32

240728-lh334stalh 10

28/07/2024, 09:29

240728-lf31bsshnd 10

Analysis

max time kernel
117s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28/07/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.exe
Size

913KB
MD5

4c30c907584baa7c1931a3a83ba69149
SHA1

09d3887d9895189a49930a61aea8c788b1ad1c0e
SHA256

afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046
SHA512

1f581850f9722153d760f6a0f125b71aae3b87546c851a26674cc37ec76b13e39f8abc93a77e1d32fdfe906fa80945fbfb9774cb002dadd922b629879c9246cc
SSDEEP

24576:1Eqr4MROxnF25bYmfFhQ3rZlI0AilFEvxHil71B:1EjMiz3rZlI0AilFEvxHi

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	0.tcp.eu.ngrok.io

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	windows.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2812	2164	windows.exe	30
PID 2164 wrote to memory of 2812	2164	windows.exe	30
PID 2164 wrote to memory of 2812	2164	windows.exe	30
PID 2812 wrote to memory of 2684	2812	csc.exe	32
PID 2812 wrote to memory of 2684	2812	csc.exe	32
PID 2812 wrote to memory of 2684	2812	csc.exe	32

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wcaq4ulb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B66.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9B65.tmp"
    3⤵
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB260.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9B66.tmp

Filesize
1KB

MD5
14c83425ab6e3633ee795cb54a45f4f5

SHA1
e461716df3c6e2d3731828571eeedfee02cfdddd

SHA256
bc6af9850c026f632eb7ba80e54e473c4f8eb7a30df5a7689c311ad5b91580de

SHA512
6706351c21cde0a456bb04b61f24412821efcff11020ff5daf7522722abcd92bc79c02fd7d3093eb224d31000b6115ec7f2f73ebaf7c7488c7d47cf96c698cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcaq4ulb.dll

Filesize
76KB

MD5
e2acc0f30a2e1ede8c460424285b3385

SHA1
a2ae09a3fc7b18d5f929d0e562e5ee84cbd906f8

SHA256
a06af45424885903149c62247f380ecb8bd89d6afdedad7a66204e19993637ad

SHA512
78b628c78905695028e1eb91f23587f9f5ded2660e573e09903580b97ffee6a85a941eb92d6fa02df7f8cbe6e95eabf8a150a8a6cf7cdc1d98c1ec1023dc809a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9B65.tmp

Filesize
676B

MD5
eb96fe8381a45f8915d81c1d4b73a929

SHA1
8e7d596df7f0e46b937b20e287c83a3ea951c11a

SHA256
72c9cc651aa3574fb5bbe1c64646a34b6df59ac68c12f1456a1a60d69f4f21f8

SHA512
55c774fd08eee374c017e296358688ed8c87d2b581c407c7c372860b14d5b5d9f4b75a9c770e31a23a19e7807daa1b66bd1852edc2ff747c8afffd98fccd1485

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcaq4ulb.0.cs

Filesize
208KB

MD5
6f1f079f851ba33c1ddacdde2df11f7a

SHA1
403fd00fc528c38049a539d916807ac5f63c2334

SHA256
d8e80b5ae56ca7b9b095a0c24dfa06edbf8041b8684b32bc9c8c28d90b73a454

SHA512
82a9ceebac19e14719190df97da7819caa7d99dc135824cbaea2609d33b46b686c464a2483cc0c96daa7a922d93a2e140fbce44ffbf29bdc8fccfed82d35c79a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcaq4ulb.cmdline

Filesize
349B

MD5
2d24418124469432281ee95b5f61a6b3

SHA1
ccf31bca356b9b814744c69a32fccd5b76c811d4

SHA256
e18c900550031ac66ca97705ea213536025abef301e06066f2b770effc90895b

SHA512
46022f640dafd59b2fcacb2df3d26fa5b8071ee45a1077364d527c11424f4f806183d320b69924acf37ab1dda9c3bcf20b2e459387683ffbb4faba96f83768c1

Download Submit
memory/2164-29-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-26-0x00000000021F0000-0x0000000002208000-memory.dmp

Filesize
96KB

Download
memory/2164-52-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-3-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-51-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-19-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/2164-2-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2164-21-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2164-23-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/2164-22-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2164-4-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-27-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-24-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-28-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2164-0-0x000007FEF602E000-0x000007FEF602F000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x00000000006F0000-0x000000000074C000-memory.dmp

Filesize
368KB

Download
memory/2164-48-0x000007FEF602E000-0x000007FEF602F000-memory.dmp

Filesize
4KB

Download
memory/2164-49-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-50-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2812-17-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2812-12-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download