afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046

Resubmissions

28-07-2024 09:32

240728-lh334stalh 10

28-07-2024 09:29

240728-lf31bsshnd 10

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.exe
Size

913KB
MD5

4c30c907584baa7c1931a3a83ba69149
SHA1

09d3887d9895189a49930a61aea8c788b1ad1c0e
SHA256

afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046
SHA512

1f581850f9722153d760f6a0f125b71aae3b87546c851a26674cc37ec76b13e39f8abc93a77e1d32fdfe906fa80945fbfb9774cb002dadd922b629879c9246cc
SSDEEP

24576:1Eqr4MROxnF25bYmfFhQ3rZlI0AilFEvxHil71B:1EjMiz3rZlI0AilFEvxHi

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	windows.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	windows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
26	0.tcp.eu.ngrok.io

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	windows.exe
File created	C:\Windows\assembly\Desktop.ini	windows.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	windows.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3676	windows.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 4436	3676	windows.exe	87
PID 3676 wrote to memory of 4436	3676	windows.exe	87
PID 4436 wrote to memory of 1244	4436	csc.exe	89
PID 4436 wrote to memory of 1244	4436	csc.exe	89

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4kuckucd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF9B2.tmp"
    3⤵
    PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4kuckucd.dll

Filesize
76KB

MD5
2a127d6161e88c1c9e333d111d08c0ce

SHA1
be772dd7d9aed33a9d89ab3b23d737ce29d99c74

SHA256
0dc5d0e86653148aacf4c615e58ef171b9b5205ff83f8859d95e145cbe2d9314

SHA512
69872b424beceddabbc0b88b8401ae2847ae1c75336f428cf3f733bfd55cd29fe5da90c17e4a501ca788d6b3012891aabcab75c6623584f016b504b3e1c8cdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF9D2.tmp

Filesize
1KB

MD5
9c44b92e4c1cba9985918d88e09f90c7

SHA1
fce305dd99ed03b55ee466f5ce908bebdf3d4da0

SHA256
5452af2f60a7037a433a194e30f817fa4e0a9e83f75c16bf1cf18b347f1f0abd

SHA512
99df46f17588aa4441fc3e3010bbdfd856c6aafcf61696e0f4db4516abbf6e0bb117f0e102f0b378158e72dcc416c6f4f9f2cbbcd63569f8171ce41f51f64ba7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4kuckucd.0.cs

Filesize
208KB

MD5
52e210cff413acf200b8b7013eee36fd

SHA1
c71f20d57ab6d8a3325c93249ea81d845c406815

SHA256
e8fa03c34fd6dbb47cc7a5484467af6cadf4a0bd8a09a7c6906e9c61019ec002

SHA512
7b7a57dd2d09ae2d2dbbf446382f324f6293e90e556e61cf9aaf09038a63d3b5625a4cb930fb4124c061973a3ade3351e15f2ca50e123ddeeb4334838f52950f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4kuckucd.cmdline

Filesize
349B

MD5
a05e23c50b01aad1d285fe094f387e24

SHA1
6d553e93daf23b9d62ee81585b4c64dc5007025e

SHA256
e1cf5839fda5dbce07132a37fc9367b947980241f52ad88efae23a20ff9a2d18

SHA512
33ded91376ac60127625a8a5be93f559a6aca9d24b848f1da28082d861c120c15a745de6b1f53490cab55bec8553386e3b90f2e69552a9d6721540d435087b19

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF9B2.tmp

Filesize
676B

MD5
af79fa97024353ddcbcb4545448a0baf

SHA1
f2ef0bea751835db4183aa0b12399de1b94f6d07

SHA256
175291a2666439b8bdcec2d9f51c4fd2a73627b942ba903419d38757cb00d10c

SHA512
0e2ed359b1c737fe7f6f54f0c071cc8c59a347a02130301c74833e69426041c46f3af4a7e1942a5c6073b4a8194fa145037137ff88f75cbfdb03cc5cb6e087b0

Download Submit
memory/3676-26-0x0000000001300000-0x0000000001308000-memory.dmp

Filesize
32KB

Download
memory/3676-30-0x000000001DF20000-0x000000001E010000-memory.dmp

Filesize
960KB

Download
memory/3676-7-0x000000001C0B0000-0x000000001C57E000-memory.dmp

Filesize
4.8MB

Download
memory/3676-6-0x000000001BAF0000-0x000000001BAFE000-memory.dmp

Filesize
56KB

Download
memory/3676-49-0x00007FFAEC7C0000-0x00007FFAED161000-memory.dmp

Filesize
9.6MB

Download
memory/3676-3-0x000000001B900000-0x000000001B95C000-memory.dmp

Filesize
368KB

Download
memory/3676-2-0x00007FFAEC7C0000-0x00007FFAED161000-memory.dmp

Filesize
9.6MB

Download
memory/3676-23-0x000000001CC10000-0x000000001CC26000-memory.dmp

Filesize
88KB

Download
memory/3676-1-0x00007FFAEC7C0000-0x00007FFAED161000-memory.dmp

Filesize
9.6MB

Download
memory/3676-48-0x00007FFAEC7C0000-0x00007FFAED161000-memory.dmp

Filesize
9.6MB

Download
memory/3676-25-0x000000001B860000-0x000000001B872000-memory.dmp

Filesize
72KB

Download
memory/3676-0-0x00007FFAECA75000-0x00007FFAECA76000-memory.dmp

Filesize
4KB

Download
memory/3676-27-0x0000000001310000-0x0000000001318000-memory.dmp

Filesize
32KB

Download
memory/3676-28-0x000000001CFF0000-0x000000001D052000-memory.dmp

Filesize
392KB

Download
memory/3676-29-0x000000001D960000-0x000000001DF1A000-memory.dmp

Filesize
5.7MB

Download
memory/3676-8-0x000000001C580000-0x000000001C61C000-memory.dmp

Filesize
624KB

Download
memory/3676-31-0x000000001D150000-0x000000001D16E000-memory.dmp

Filesize
120KB

Download
memory/3676-32-0x000000001E020000-0x000000001E069000-memory.dmp

Filesize
292KB

Download
memory/3676-33-0x00007FFAEC7C0000-0x00007FFAED161000-memory.dmp

Filesize
9.6MB

Download
memory/3676-34-0x000000001E100000-0x000000001E170000-memory.dmp

Filesize
448KB

Download
memory/3676-35-0x00007FFAEC7C0000-0x00007FFAED161000-memory.dmp

Filesize
9.6MB

Download
memory/3676-37-0x000000001E3B0000-0x000000001E3C8000-memory.dmp

Filesize
96KB

Download
memory/3676-38-0x000000001D180000-0x000000001D190000-memory.dmp

Filesize
64KB

Download
memory/3676-39-0x000000001E0F0000-0x000000001E0F8000-memory.dmp

Filesize
32KB

Download
memory/3676-42-0x000000001F500000-0x000000001F63C000-memory.dmp

Filesize
1.2MB

Download
memory/3676-45-0x00007FFAEC7C0000-0x00007FFAED161000-memory.dmp

Filesize
9.6MB

Download
memory/3676-46-0x00007FFAECA75000-0x00007FFAECA76000-memory.dmp

Filesize
4KB

Download
memory/3676-47-0x00007FFAEC7C0000-0x00007FFAED161000-memory.dmp

Filesize
9.6MB

Download
memory/4436-21-0x00007FFAEC7C0000-0x00007FFAED161000-memory.dmp

Filesize
9.6MB

Download
memory/4436-14-0x00007FFAEC7C0000-0x00007FFAED161000-memory.dmp

Filesize
9.6MB

Download