Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
05/08/2024, 15:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ConsoleApplication4.exe
Resource
win10-20240404-en
windows10-1703-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ConsoleApplication4.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
ConsoleApplication4.exe
-
Size
440KB
-
MD5
57af9f8ace4ef7916f3fee50ce8e9e21
-
SHA1
5bba0970399a3f8cd5f00552cc01a8779f2ab9b9
-
SHA256
08a14dba6dd0346166cb3f83910445da3e940559543b670b04de8c22c94d78be
-
SHA512
5c4464ba99b851380a7040e66bfd5f1c1721a97cbf12561731076a0825e172182e353aeef291fad872e0e227e22f00193a3eb0a633b06fd86338ba3ef4def1b6
-
SSDEEP
6144:hEY5x8yvYfwmZVMGANc3OCbgFOCIJfkTn5OEfvpQDdubt8OHJmf68T7kJ8KoIw:WY5OyvIwmZANc+CbYGWVfFWpTQj
Score
8/10
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3188 svchost.exe 4380 svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ConsoleApplication4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ConsoleApplication4.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2720 cmd.exe 308 PING.EXE 4508 cmd.exe 4660 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 308 PING.EXE 4660 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1728 WMIC.exe Token: SeSecurityPrivilege 1728 WMIC.exe Token: SeTakeOwnershipPrivilege 1728 WMIC.exe Token: SeLoadDriverPrivilege 1728 WMIC.exe Token: SeSystemProfilePrivilege 1728 WMIC.exe Token: SeSystemtimePrivilege 1728 WMIC.exe Token: SeProfSingleProcessPrivilege 1728 WMIC.exe Token: SeIncBasePriorityPrivilege 1728 WMIC.exe Token: SeCreatePagefilePrivilege 1728 WMIC.exe Token: SeBackupPrivilege 1728 WMIC.exe Token: SeRestorePrivilege 1728 WMIC.exe Token: SeShutdownPrivilege 1728 WMIC.exe Token: SeDebugPrivilege 1728 WMIC.exe Token: SeSystemEnvironmentPrivilege 1728 WMIC.exe Token: SeRemoteShutdownPrivilege 1728 WMIC.exe Token: SeUndockPrivilege 1728 WMIC.exe Token: SeManageVolumePrivilege 1728 WMIC.exe Token: 33 1728 WMIC.exe Token: 34 1728 WMIC.exe Token: 35 1728 WMIC.exe Token: 36 1728 WMIC.exe Token: SeIncreaseQuotaPrivilege 1728 WMIC.exe Token: SeSecurityPrivilege 1728 WMIC.exe Token: SeTakeOwnershipPrivilege 1728 WMIC.exe Token: SeLoadDriverPrivilege 1728 WMIC.exe Token: SeSystemProfilePrivilege 1728 WMIC.exe Token: SeSystemtimePrivilege 1728 WMIC.exe Token: SeProfSingleProcessPrivilege 1728 WMIC.exe Token: SeIncBasePriorityPrivilege 1728 WMIC.exe Token: SeCreatePagefilePrivilege 1728 WMIC.exe Token: SeBackupPrivilege 1728 WMIC.exe Token: SeRestorePrivilege 1728 WMIC.exe Token: SeShutdownPrivilege 1728 WMIC.exe Token: SeDebugPrivilege 1728 WMIC.exe Token: SeSystemEnvironmentPrivilege 1728 WMIC.exe Token: SeRemoteShutdownPrivilege 1728 WMIC.exe Token: SeUndockPrivilege 1728 WMIC.exe Token: SeManageVolumePrivilege 1728 WMIC.exe Token: 33 1728 WMIC.exe Token: 34 1728 WMIC.exe Token: 35 1728 WMIC.exe Token: 36 1728 WMIC.exe Token: SeIncreaseQuotaPrivilege 3740 WMIC.exe Token: SeSecurityPrivilege 3740 WMIC.exe Token: SeTakeOwnershipPrivilege 3740 WMIC.exe Token: SeLoadDriverPrivilege 3740 WMIC.exe Token: SeSystemProfilePrivilege 3740 WMIC.exe Token: SeSystemtimePrivilege 3740 WMIC.exe Token: SeProfSingleProcessPrivilege 3740 WMIC.exe Token: SeIncBasePriorityPrivilege 3740 WMIC.exe Token: SeCreatePagefilePrivilege 3740 WMIC.exe Token: SeBackupPrivilege 3740 WMIC.exe Token: SeRestorePrivilege 3740 WMIC.exe Token: SeShutdownPrivilege 3740 WMIC.exe Token: SeDebugPrivilege 3740 WMIC.exe Token: SeSystemEnvironmentPrivilege 3740 WMIC.exe Token: SeRemoteShutdownPrivilege 3740 WMIC.exe Token: SeUndockPrivilege 3740 WMIC.exe Token: SeManageVolumePrivilege 3740 WMIC.exe Token: 33 3740 WMIC.exe Token: 34 3740 WMIC.exe Token: 35 3740 WMIC.exe Token: 36 3740 WMIC.exe Token: SeIncreaseQuotaPrivilege 3740 WMIC.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3380 wrote to memory of 3188 3380 ConsoleApplication4.exe 74 PID 3380 wrote to memory of 3188 3380 ConsoleApplication4.exe 74 PID 3380 wrote to memory of 3188 3380 ConsoleApplication4.exe 74 PID 3188 wrote to memory of 2720 3188 svchost.exe 76 PID 3188 wrote to memory of 2720 3188 svchost.exe 76 PID 3188 wrote to memory of 2720 3188 svchost.exe 76 PID 2720 wrote to memory of 308 2720 cmd.exe 77 PID 2720 wrote to memory of 308 2720 cmd.exe 77 PID 2720 wrote to memory of 308 2720 cmd.exe 77 PID 3188 wrote to memory of 4632 3188 svchost.exe 78 PID 3188 wrote to memory of 4632 3188 svchost.exe 78 PID 3188 wrote to memory of 4632 3188 svchost.exe 78 PID 4632 wrote to memory of 1728 4632 cmd.exe 79 PID 4632 wrote to memory of 1728 4632 cmd.exe 79 PID 4632 wrote to memory of 1728 4632 cmd.exe 79 PID 4956 wrote to memory of 4380 4956 ConsoleApplication4.exe 87 PID 4956 wrote to memory of 4380 4956 ConsoleApplication4.exe 87 PID 4956 wrote to memory of 4380 4956 ConsoleApplication4.exe 87 PID 4380 wrote to memory of 4508 4380 svchost.exe 89 PID 4380 wrote to memory of 4508 4380 svchost.exe 89 PID 4380 wrote to memory of 4508 4380 svchost.exe 89 PID 4508 wrote to memory of 4660 4508 cmd.exe 90 PID 4508 wrote to memory of 4660 4508 cmd.exe 90 PID 4508 wrote to memory of 4660 4508 cmd.exe 90 PID 4380 wrote to memory of 4320 4380 svchost.exe 91 PID 4380 wrote to memory of 4320 4380 svchost.exe 91 PID 4380 wrote to memory of 4320 4380 svchost.exe 91 PID 4320 wrote to memory of 3740 4320 cmd.exe 92 PID 4320 wrote to memory of 3740 4320 cmd.exe 92 PID 4320 wrote to memory of 3740 4320 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\ConsoleApplication4.exe"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\PING.EXEping -n 1 1.1.1.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\ConsoleApplication4.exe"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\PING.EXEping -n 1 1.1.1.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5d43df96b6993162d5eda2f9af344f308
SHA13ff01450e55d445e974deeb609e1bcd1c219237c
SHA2565e0bd7411b1233898ef8803de04c81e22fe40b554d6e81c63a6df671ef0b8bf7
SHA512b18c13954a9c3cba6954cbdd2465d6ed6965898ed0340228882c4f2ac30b62046456758b24258b8c6b5fc59da06f2517fac05508882d317b990b74f020b4a894