3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe
Size

251KB
MD5

541d40acfed529f53816f8974634d875
SHA1

801444be5fb8efafd8a92dcb51a480cbb6039666
SHA256

85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b
SHA512

e7e653dbbf778533b244808001b7fa440e350c9c2c7fd2c45b52d46cc2f249cbc2a049bc023e4d350484a63b9d3b78b4ca378f7d0e883dcbbc6324c0a3b14c2d
SSDEEP

3072:+Cm3/jdYiAScDuYOr5rfaAP7K7yGzAMVb168yiJXNgfz798beFnHrAnlUwKV:SCiJ8uYOBfaAYyqhe8ZJda98beFnLAl2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe
Token: SeIncreaseQuotaPrivilege	2648	wmic.exe
Token: SeSecurityPrivilege	2648	wmic.exe
Token: SeTakeOwnershipPrivilege	2648	wmic.exe
Token: SeLoadDriverPrivilege	2648	wmic.exe
Token: SeSystemProfilePrivilege	2648	wmic.exe
Token: SeSystemtimePrivilege	2648	wmic.exe
Token: SeProfSingleProcessPrivilege	2648	wmic.exe
Token: SeIncBasePriorityPrivilege	2648	wmic.exe
Token: SeCreatePagefilePrivilege	2648	wmic.exe
Token: SeBackupPrivilege	2648	wmic.exe
Token: SeRestorePrivilege	2648	wmic.exe
Token: SeShutdownPrivilege	2648	wmic.exe
Token: SeDebugPrivilege	2648	wmic.exe
Token: SeSystemEnvironmentPrivilege	2648	wmic.exe
Token: SeRemoteShutdownPrivilege	2648	wmic.exe
Token: SeUndockPrivilege	2648	wmic.exe
Token: SeManageVolumePrivilege	2648	wmic.exe
Token: 33	2648	wmic.exe
Token: 34	2648	wmic.exe
Token: 35	2648	wmic.exe
Token: SeIncreaseQuotaPrivilege	2648	wmic.exe
Token: SeSecurityPrivilege	2648	wmic.exe
Token: SeTakeOwnershipPrivilege	2648	wmic.exe
Token: SeLoadDriverPrivilege	2648	wmic.exe
Token: SeSystemProfilePrivilege	2648	wmic.exe
Token: SeSystemtimePrivilege	2648	wmic.exe
Token: SeProfSingleProcessPrivilege	2648	wmic.exe
Token: SeIncBasePriorityPrivilege	2648	wmic.exe
Token: SeCreatePagefilePrivilege	2648	wmic.exe
Token: SeBackupPrivilege	2648	wmic.exe
Token: SeRestorePrivilege	2648	wmic.exe
Token: SeShutdownPrivilege	2648	wmic.exe
Token: SeDebugPrivilege	2648	wmic.exe
Token: SeSystemEnvironmentPrivilege	2648	wmic.exe
Token: SeRemoteShutdownPrivilege	2648	wmic.exe
Token: SeUndockPrivilege	2648	wmic.exe
Token: SeManageVolumePrivilege	2648	wmic.exe
Token: 33	2648	wmic.exe
Token: 34	2648	wmic.exe
Token: 35	2648	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2648	2300	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe	32
PID 2300 wrote to memory of 2648	2300	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe	32
PID 2300 wrote to memory of 2648	2300	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe	32
PID 2300 wrote to memory of 2844	2300	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe	35
PID 2300 wrote to memory of 2844	2300	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe	35
PID 2300 wrote to memory of 2844	2300	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe	35
PID 2844 wrote to memory of 2936	2844	cmd.exe	37
PID 2844 wrote to memory of 2936	2844	cmd.exe	37
PID 2844 wrote to memory of 2936	2844	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe
"C:\Users\Admin\AppData\Local\Temp\85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 2 & Del "C:\Users\Admin\AppData\Local\Temp\85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 2
    3⤵
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2300-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

Filesize
4KB

Download
memory/2300-1-0x00000000013B0000-0x00000000013F4000-memory.dmp

Filesize
272KB

Download
memory/2300-2-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-3-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download