5015af8fb5725c4c9ebac28a890128587b888acddab6cc9ff06e94e782713882

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:39

Target

screenshot2016.exe
Size

4.6MB
MD5

b8c469c681323bad2efac3b30897e18f
SHA1

56bae6961b1fc0e3415b57483c1c21b8eaebd4b8
SHA256

121dd64aa3a17da1a9d27ae4ac84538a3b8ec23abec2f5f6e69a06f7826c4df5
SHA512

7184f92a537ea0737933190291bf49f64ecdba62739f2ea3546bb90f4868b08b48711eadbfd4c3d4166785abf1d759808d399c73cdf0cc2929a422ed6ff32f15
SSDEEP

49152:kvLL7UyvZBZF6DFrpnC6DFrpn67n7Z/1cvLL7UyVZbvLL7UygvLL7UyHvLL7Uy1l:krUy3KNpnCKNpnjrUybrUygrUyHrUy

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

CaptureItPlus.exe

pid process

2088 CaptureItPlus.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CaptureItPlus.exe

pid process

2088 CaptureItPlus.exe
2088 CaptureItPlus.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

screenshot2016.exeCaptureItPlus.exe

description pid process

Token: SeDebugPrivilege 2868 screenshot2016.exe
Token: SeDebugPrivilege 2088 CaptureItPlus.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

CaptureItPlus.exe

pid process

2088 CaptureItPlus.exe
2088 CaptureItPlus.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

CaptureItPlus.exe

pid process

2088 CaptureItPlus.exe
2088 CaptureItPlus.exe

pid	process
2088	CaptureItPlus.exe

pid	process
2088	CaptureItPlus.exe
2088	CaptureItPlus.exe

description	pid	process
Token: SeDebugPrivilege	2868	screenshot2016.exe
Token: SeDebugPrivilege	2088	CaptureItPlus.exe

pid	process
2088	CaptureItPlus.exe
2088	CaptureItPlus.exe

pid	process
2088	CaptureItPlus.exe
2088	CaptureItPlus.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

screenshot2016.exe

description	pid	process	target process
PID 2868 wrote to memory of 2088	2868	screenshot2016.exe	CaptureItPlus.exe
PID 2868 wrote to memory of 2088	2868	screenshot2016.exe	CaptureItPlus.exe
PID 2868 wrote to memory of 2088	2868	screenshot2016.exe	CaptureItPlus.exe

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe

Filesize
410KB

MD5
e8cc55a833bfd86a6d3c4ad8391050cb

SHA1
dee0d797b0ccf1cd6c47b6c9fa9f157ccf3e4c62

SHA256
24b6c0f724c496aefab3e6a58b194213dc4ca4016e50ce8428b4fe15c6b6b240

SHA512
9c0639a3efaefd2a0c3dbc2ead4f1314290ac4506997f8026a62be0f641c79509201198bab7bd0496f19875b8571c6fd519520e0b0b4d673ef0121156178fca3

Download Submit
memory/2088-9-0x0000000000340000-0x00000000003AC000-memory.dmp

Filesize
432KB

Download
memory/2088-10-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2088-11-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2088-14-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2868-1-0x0000000000B30000-0x0000000000FCE000-memory.dmp

Filesize
4.6MB

Download
memory/2868-2-0x00000000004F0000-0x000000000053C000-memory.dmp

Filesize
304KB

Download
memory/2868-4-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-12-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2868-13-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download