8bd0c2de7af721194571df16912e01228e4e1d2a2f26470d7947f231c05b4269

Resubmissions

02-11-2020 09:24

201102-7dbe5bltjn 10

02-11-2020 08:10

201102-3my475sppj 8

Analysis

max time kernel
126s
max time network
125s
platform
windows7_x64
resource
win7v20201028
submitted
02-11-2020 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe
Size

134KB
MD5

0a0b0ac20e9fe72753e74def1e37724f
SHA1

fd683b33ee10ba92e485f76fbad9b48a2e697358
SHA256

ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f
SHA512

3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

PKwGZgDZplan.exeoVCuegvyXlan.exe

pid process

1376 PKwGZgDZplan.exe
1224 oVCuegvyXlan.exe

pid	process
1376	PKwGZgDZplan.exe
1224	oVCuegvyXlan.exe

Loads dropped DLL 4 IoCs

Processes:

ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe

pid	process
1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe
1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe
1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe
1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	928	AUDIODG.EXE
Token: 33	928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	928	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe

description	pid	process	target process
PID 1056 wrote to memory of 1376	1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	PKwGZgDZplan.exe
PID 1056 wrote to memory of 1376	1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	PKwGZgDZplan.exe
PID 1056 wrote to memory of 1376	1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	PKwGZgDZplan.exe
PID 1056 wrote to memory of 1376	1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	PKwGZgDZplan.exe
PID 1056 wrote to memory of 1224	1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	oVCuegvyXlan.exe
PID 1056 wrote to memory of 1224	1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	oVCuegvyXlan.exe
PID 1056 wrote to memory of 1224	1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	oVCuegvyXlan.exe
PID 1056 wrote to memory of 1224	1056	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	oVCuegvyXlan.exe

C:\Users\Admin\AppData\Local\Temp\ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe
"C:\Users\Admin\AppData\Local\Temp\ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\PKwGZgDZplan.exe
"C:\Users\Admin\AppData\Local\Temp\PKwGZgDZplan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1376

C:\Users\Admin\AppData\Local\Temp\oVCuegvyXlan.exe
"C:\Users\Admin\AppData\Local\Temp\oVCuegvyXlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1224

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OJIPNEHAGlan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
C:\Users\Admin\AppData\Local\Temp\PKwGZgDZplan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVCuegvyXlan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
\Users\Admin\AppData\Local\Temp\OJIPNEHAGlan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
\Users\Admin\AppData\Local\Temp\OJIPNEHAGlan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
\Users\Admin\AppData\Local\Temp\PKwGZgDZplan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
\Users\Admin\AppData\Local\Temp\PKwGZgDZplan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
\Users\Admin\AppData\Local\Temp\oVCuegvyXlan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
\Users\Admin\AppData\Local\Temp\oVCuegvyXlan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
memory/1224-6-0x0000000000000000-mapping.dmp

Download
memory/1280-10-0x0000000000000000-mapping.dmp

Download
memory/1376-2-0x0000000000000000-mapping.dmp

Download