Overview

overview

7

Static

static

3

guess.exe

windows10-1703-x64

7

Resubmissions

13-09-2024 18:39

240913-xa5grasank 7

13-09-2024 18:39

240913-xapfjasakp 7

13-09-2024 18:38

240913-xag2fssepd 7

13-09-2024 18:38

240913-w99ebasenb 7

13-09-2024 18:38

240913-w945la1hrk 7

13-09-2024 18:37

240913-w9jhws1hnj 7

Analysis

  • max time kernel
    14s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-09-2024 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    guess.exe

  • Size

    5.8MB

  • MD5

    be5cdeca07c5e91d204c34db575d0584

  • SHA1

    5d581a372dfd6fd25de52150cfb012b31bbcceff

  • SHA256

    f340b634b04ced4b79471d479d08252a87280cdba0fbc38232cff03f77e17be1

  • SHA512

    0e95bc060e2e42e883d5949c123875eed93ea22946c9fc666193fdede0e360b2396dc71ac8bd47ba9f6539f633eac03c35e06bc150805693ec49fbefb67a32b2

  • SSDEEP

    98304:IfyKcpp0xbq88uOMcvrFOamNH/CcyC+0OgEZKgmtKU9PcpaBXSiOuHYpL94ua5xF:AMwV8YQrFoQCigEZKBhPc8RSuHWulV

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\guess.exe
    "C:\Users\Admin\AppData\Local\Temp\guess.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Users\Admin\AppData\Local\Temp\onefile_4036_133707263662546268\guess.exe
      C:\Users\Admin\AppData\Local\Temp\guess.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c shutdown -fw -s -t 00
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Windows\system32\shutdown.exe
          shutdown -fw -s -t 00
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2268
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c echo ur cute bbg
        3⤵
          PID:1348
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c echo ur cute bbg
          3⤵
            PID:1416
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c echo ur cute bbg
            3⤵
              PID:3224
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c echo ur cute bbg
              3⤵
                PID:5056
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c echo ur cute bbg
                3⤵
                  PID:1300
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c echo ur cute bbg
                  3⤵
                    PID:3840
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c echo ur cute bbg
                    3⤵
                      PID:2468
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c echo ur cute bbg
                      3⤵
                        PID:2320
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c echo ur cute bbg
                        3⤵
                          PID:944
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c echo ur cute bbg
                          3⤵
                            PID:1152
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c echo ur cute bbg
                            3⤵
                              PID:2076
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c echo ur cute bbg
                              3⤵
                                PID:1808
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c echo ur cute bbg
                                3⤵
                                  PID:3196
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c echo ur cute bbg
                                  3⤵
                                    PID:4024
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c echo ur cute bbg
                                    3⤵
                                      PID:2392

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\onefile_4036_133707263662546268\VCRUNTIME140.dll
                                  Filesize

                                  116KB

                                  MD5

                                  be8dbe2dc77ebe7f88f910c61aec691a

                                  SHA1

                                  a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                                  SHA256

                                  4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                                  SHA512

                                  0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\onefile_4036_133707263662546268\guess.exe
                                  Filesize

                                  5.8MB

                                  MD5

                                  2f260f63ac3d069c7dd82e184ec166ec

                                  SHA1

                                  582333ca84812f237a3db45980e3689fdabee212

                                  SHA256

                                  f2eb82ae7273654bdd4a3727f89f87a356c916f12003ed11fff3faadfd9052b2

                                  SHA512

                                  6dfba6cc75c1705a331488343cebb013fffd5010f0fe069705117f5add8946b86722f8065141b3a231991f61df482c488a94701db76a1f2257695a20201697a2

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\onefile_4036_133707263662546268\python312.dll
                                  Filesize

                                  6.6MB

                                  MD5

                                  cae8fa4e7cb32da83acf655c2c39d9e1

                                  SHA1

                                  7a0055588a2d232be8c56791642cb0f5abbc71f8

                                  SHA256

                                  8ad53c67c2b4db4387d5f72ee2a3ca80c40af444b22bf41a6cfda2225a27bb93

                                  SHA512

                                  db2190da2c35bceed0ef91d7553ff0dea442286490145c3d0e89db59ba1299b0851e601cc324b5f7fd026414fc73755e8eff2ef5fb5eeb1c54a9e13e7c66dd0c

                                  Download Submit