fd0fb5e8e3dda715720273b30bb3948884287e2251ff9e293e4f1603baf7f773

Analysis

max time kernel
131s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AntiVm.exe
Size

35KB
MD5

4563b06ed7e8526129b2e8ec9206fc30
SHA1

03453f4649f10dbacdf7c81cc5cf9f67f91f3f9b
SHA256

fd0fb5e8e3dda715720273b30bb3948884287e2251ff9e293e4f1603baf7f773
SHA512

da3426baea52d6cf505d9279ec9e536fcd53b7a873c853515e894836c305a3912a0501ffbd52eaf81c0f1802bc5bc729a09e477a03a186ae258cc89c50bbe052
SSDEEP

384:vrDSgYShqrV4jKb1hbcRqI1viLwPxvaATxB4UFu/10AXPGCGHZOVPJ/kRK1rbGjb:rYyuzS18gbXy6Zcx/QKhtPX/0sCp7GK

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AntiVm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3828	wmic.exe
Token: SeSecurityPrivilege	3828	wmic.exe
Token: SeTakeOwnershipPrivilege	3828	wmic.exe
Token: SeLoadDriverPrivilege	3828	wmic.exe
Token: SeSystemProfilePrivilege	3828	wmic.exe
Token: SeSystemtimePrivilege	3828	wmic.exe
Token: SeProfSingleProcessPrivilege	3828	wmic.exe
Token: SeIncBasePriorityPrivilege	3828	wmic.exe
Token: SeCreatePagefilePrivilege	3828	wmic.exe
Token: SeBackupPrivilege	3828	wmic.exe
Token: SeRestorePrivilege	3828	wmic.exe
Token: SeShutdownPrivilege	3828	wmic.exe
Token: SeDebugPrivilege	3828	wmic.exe
Token: SeSystemEnvironmentPrivilege	3828	wmic.exe
Token: SeRemoteShutdownPrivilege	3828	wmic.exe
Token: SeUndockPrivilege	3828	wmic.exe
Token: SeManageVolumePrivilege	3828	wmic.exe
Token: 33	3828	wmic.exe
Token: 34	3828	wmic.exe
Token: 35	3828	wmic.exe
Token: 36	3828	wmic.exe
Token: SeIncreaseQuotaPrivilege	3828	wmic.exe
Token: SeSecurityPrivilege	3828	wmic.exe
Token: SeTakeOwnershipPrivilege	3828	wmic.exe
Token: SeLoadDriverPrivilege	3828	wmic.exe
Token: SeSystemProfilePrivilege	3828	wmic.exe
Token: SeSystemtimePrivilege	3828	wmic.exe
Token: SeProfSingleProcessPrivilege	3828	wmic.exe
Token: SeIncBasePriorityPrivilege	3828	wmic.exe
Token: SeCreatePagefilePrivilege	3828	wmic.exe
Token: SeBackupPrivilege	3828	wmic.exe
Token: SeRestorePrivilege	3828	wmic.exe
Token: SeShutdownPrivilege	3828	wmic.exe
Token: SeDebugPrivilege	3828	wmic.exe
Token: SeSystemEnvironmentPrivilege	3828	wmic.exe
Token: SeRemoteShutdownPrivilege	3828	wmic.exe
Token: SeUndockPrivilege	3828	wmic.exe
Token: SeManageVolumePrivilege	3828	wmic.exe
Token: 33	3828	wmic.exe
Token: 34	3828	wmic.exe
Token: 35	3828	wmic.exe
Token: 36	3828	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 3828	3628	AntiVm.exe	87
PID 3628 wrote to memory of 3828	3628	AntiVm.exe	87
PID 3628 wrote to memory of 3828	3628	AntiVm.exe	87
PID 3628 wrote to memory of 1808	3628	AntiVm.exe	90
PID 3628 wrote to memory of 1808	3628	AntiVm.exe	90
PID 3628 wrote to memory of 1808	3628	AntiVm.exe	90

C:\Users\Admin\AppData\Local\Temp\AntiVm.exe
"C:\Users\Admin\AppData\Local\Temp\AntiVm.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic diskdrive get model
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads