98503953fc161775530847bfa458dce9e3bfcc5b084ecb578a8c5313018704f4

Analysis

max time kernel
139s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98503953fc161775530847bfa458dce9e3bfcc5b084ecb578a8c5313018704f4.exe
Size

849KB
MD5

bf7c5aad2da5e8102f09989456a49728
SHA1

daa567a91aa4351bc4c94ef28c23c3c31f4dd5b4
SHA256

98503953fc161775530847bfa458dce9e3bfcc5b084ecb578a8c5313018704f4
SHA512

162a7e8ad805daa36b6cb20f1b1144452145fcc62163c4c8d84109edad2ad23c10988474f1a837ab2373619c4bc7995ee3fe9931feb66d4156faaef2f550db8c
SSDEEP

12288:/OmPaqhJLOgoNgQNQGDM196uXG2jJwdGoH0v59L2pWp9P8Xv7CdfsOoH61LQ5sOZ:/faCJLvhGo1DXkXOWKOKkLVRDBLuJQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4956	kb117

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2388	cmd.exe
3972	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kb117
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	kb117

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3972	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4956	kb117
4956	kb117

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4956	5004	98503953fc161775530847bfa458dce9e3bfcc5b084ecb578a8c5313018704f4.exe	84
PID 5004 wrote to memory of 4956	5004	98503953fc161775530847bfa458dce9e3bfcc5b084ecb578a8c5313018704f4.exe	84
PID 4956 wrote to memory of 2388	4956	kb117	91
PID 4956 wrote to memory of 2388	4956	kb117	91
PID 2388 wrote to memory of 3972	2388	cmd.exe	93
PID 2388 wrote to memory of 3972	2388	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\98503953fc161775530847bfa458dce9e3bfcc5b084ecb578a8c5313018704f4.exe
"C:\Users\Admin\AppData\Local\Temp\98503953fc161775530847bfa458dce9e3bfcc5b084ecb578a8c5313018704f4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\Pvmnudvd\kb117
  "C:\Users\Admin\AppData\Local\Temp\Pvmnudvd\kb117"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C ping 127.0.0.1 -n 5 > nul && del "C:\Users\Admin\AppData\Local\Temp\Pvmnudvd\kb117"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Pvmnudvd\kb117

Filesize
526KB

MD5
dcc42d96bb0544380b3d4e14dd37a5c8

SHA1
236eee1b6d68c67b450bce0eed9afa61e7eab68a

SHA256
9520cf9a467ed413a407d39dfc84644e5fe31940e6d7a7c2f149cf313f49f8cd

SHA512
55ef9a623a5eb699e386bcaf50e8e231449cb4c4ced6dcd98c04f1a2822852c14278627eec36b45fa7ae1afaf9f1be565c3a68a655e6645d99325c678e507907

Download Submit
memory/5004-10-0x0000021F01D20000-0x0000021F01D21000-memory.dmp

Filesize
4KB

Download