Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 06:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
exodus.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
exodus.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
exodus.exe
-
Size
35.6MB
-
MD5
d18ed22b855ebee6505aa6d42ab89c29
-
SHA1
0eeac10f9673956b37c9906a24371e41b3d6c593
-
SHA256
c5a63def33f26ef41126706e4b1b0e9e14f0be8d3ac1ff2fda6655aa0beec27b
-
SHA512
6368fed008a8e0c4a18c14814fd2e94b8366b4b4077a96b72b1ad418869ff42f57344cd25faf1128f00ff1c9f6dd2cf53e39645fefd26d22621fccfad0b5d3fc
-
SSDEEP
786432:d0LoCOn+22s4urYDNulLBiuyRwduAxZM0:dMoCm/2XwP
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 724 WMIC.exe Token: SeSecurityPrivilege 724 WMIC.exe Token: SeTakeOwnershipPrivilege 724 WMIC.exe Token: SeLoadDriverPrivilege 724 WMIC.exe Token: SeSystemProfilePrivilege 724 WMIC.exe Token: SeSystemtimePrivilege 724 WMIC.exe Token: SeProfSingleProcessPrivilege 724 WMIC.exe Token: SeIncBasePriorityPrivilege 724 WMIC.exe Token: SeCreatePagefilePrivilege 724 WMIC.exe Token: SeBackupPrivilege 724 WMIC.exe Token: SeRestorePrivilege 724 WMIC.exe Token: SeShutdownPrivilege 724 WMIC.exe Token: SeDebugPrivilege 724 WMIC.exe Token: SeSystemEnvironmentPrivilege 724 WMIC.exe Token: SeRemoteShutdownPrivilege 724 WMIC.exe Token: SeUndockPrivilege 724 WMIC.exe Token: SeManageVolumePrivilege 724 WMIC.exe Token: 33 724 WMIC.exe Token: 34 724 WMIC.exe Token: 35 724 WMIC.exe Token: 36 724 WMIC.exe Token: SeIncreaseQuotaPrivilege 724 WMIC.exe Token: SeSecurityPrivilege 724 WMIC.exe Token: SeTakeOwnershipPrivilege 724 WMIC.exe Token: SeLoadDriverPrivilege 724 WMIC.exe Token: SeSystemProfilePrivilege 724 WMIC.exe Token: SeSystemtimePrivilege 724 WMIC.exe Token: SeProfSingleProcessPrivilege 724 WMIC.exe Token: SeIncBasePriorityPrivilege 724 WMIC.exe Token: SeCreatePagefilePrivilege 724 WMIC.exe Token: SeBackupPrivilege 724 WMIC.exe Token: SeRestorePrivilege 724 WMIC.exe Token: SeShutdownPrivilege 724 WMIC.exe Token: SeDebugPrivilege 724 WMIC.exe Token: SeSystemEnvironmentPrivilege 724 WMIC.exe Token: SeRemoteShutdownPrivilege 724 WMIC.exe Token: SeUndockPrivilege 724 WMIC.exe Token: SeManageVolumePrivilege 724 WMIC.exe Token: 33 724 WMIC.exe Token: 34 724 WMIC.exe Token: 35 724 WMIC.exe Token: 36 724 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 944 wrote to memory of 3044 944 exodus.exe 87 PID 944 wrote to memory of 3044 944 exodus.exe 87 PID 3044 wrote to memory of 724 3044 cmd.exe 88 PID 3044 wrote to memory of 724 3044 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\exodus.exe"C:\Users\Admin\AppData\Local\Temp\exodus.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:724
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3748