Analysis
-
max time kernel
4265058s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
14-01-2022 16:58
Static task
static1
Behavioral task
behavioral1
Sample
aea21ab88cca720a34ec1c9c4794f82a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aea21ab88cca720a34ec1c9c4794f82a.exe
Resource
win10v2004-en-20220112
General
-
Target
aea21ab88cca720a34ec1c9c4794f82a.exe
-
Size
749KB
-
MD5
aea21ab88cca720a34ec1c9c4794f82a
-
SHA1
5241d6fd4013ec8251df46e231665471a8ca70db
-
SHA256
498421bc4c78ba9bf7c9d669bd9958cf2c0c1cc89e94288800fe004400821ef3
-
SHA512
9503ec3b595db2edee075254da608284a0ffbe33b4f86e3e703293f49c73ef7e5069454608ee23a9f3b3062ef3325e9bed0b4d9b6e8a7e3239942033eb400f38
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
aea21ab88cca720a34ec1c9c4794f82a.tmp7((_8888YTR(.exepid process 3972 aea21ab88cca720a34ec1c9c4794f82a.tmp 3548 7((_8888YTR(.exe -
Loads dropped DLL 1 IoCs
Processes:
aea21ab88cca720a34ec1c9c4794f82a.tmppid process 3972 aea21ab88cca720a34ec1c9c4794f82a.tmp -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotification.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MusNotification.exedescription pid process Token: SeShutdownPrivilege 208 MusNotification.exe Token: SeCreatePagefilePrivilege 208 MusNotification.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
aea21ab88cca720a34ec1c9c4794f82a.exeaea21ab88cca720a34ec1c9c4794f82a.tmp7((_8888YTR(.exedescription pid process target process PID 388 wrote to memory of 3972 388 aea21ab88cca720a34ec1c9c4794f82a.exe aea21ab88cca720a34ec1c9c4794f82a.tmp PID 388 wrote to memory of 3972 388 aea21ab88cca720a34ec1c9c4794f82a.exe aea21ab88cca720a34ec1c9c4794f82a.tmp PID 388 wrote to memory of 3972 388 aea21ab88cca720a34ec1c9c4794f82a.exe aea21ab88cca720a34ec1c9c4794f82a.tmp PID 3972 wrote to memory of 3548 3972 aea21ab88cca720a34ec1c9c4794f82a.tmp 7((_8888YTR(.exe PID 3972 wrote to memory of 3548 3972 aea21ab88cca720a34ec1c9c4794f82a.tmp 7((_8888YTR(.exe PID 3548 wrote to memory of 3500 3548 7((_8888YTR(.exe fondue.exe PID 3548 wrote to memory of 3500 3548 7((_8888YTR(.exe fondue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aea21ab88cca720a34ec1c9c4794f82a.exe"C:\Users\Admin\AppData\Local\Temp\aea21ab88cca720a34ec1c9c4794f82a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-6VMFR.tmp\aea21ab88cca720a34ec1c9c4794f82a.tmp"C:\Users\Admin\AppData\Local\Temp\is-6VMFR.tmp\aea21ab88cca720a34ec1c9c4794f82a.tmp" /SL5="$10011A,506086,422400,C:\Users\Admin\AppData\Local\Temp\aea21ab88cca720a34ec1c9c4794f82a.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-S8JTM.tmp\7((_8888YTR(.exe"C:\Users\Admin\AppData\Local\Temp\is-S8JTM.tmp\7((_8888YTR(.exe" /S /UID=rec73⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-6VMFR.tmp\aea21ab88cca720a34ec1c9c4794f82a.tmpMD5
91d64d52451891441d23398dd3a6e05e
SHA148acbb102a9f4a15398a93f290994fe306431b92
SHA25686c6f7b0b4ea6b716351b45b1b8809a56ac3efcd0e02859ae2d113c3ef2e088b
SHA512ce7024c1e497da18708afdedfca6c0e95a012d3173b9d659cf5c4e58cde670d6b53bc95beedf86ec0995db341c165992a29a238798f81d425671a3229b8184e8
-
C:\Users\Admin\AppData\Local\Temp\is-S8JTM.tmp\7((_8888YTR(.exeMD5
f97d18bae067594234dc3ea8e06d10a1
SHA1fbc62c900d9a2e05d0fb5d544dbb0f4ae5119261
SHA2562f19b526f1f1dc0d9d4d771f6138e74bf778b4caa042b9f6699dad287b03e8ab
SHA5124e124fba18766da2630f3c6edc1e576a06ec263978335431e17ecf4d362c83be20c6bd29d451cd38985f2ba41f4ae4a4cd2db89cfc56726f01b31e5c5b143e60
-
C:\Users\Admin\AppData\Local\Temp\is-S8JTM.tmp\7((_8888YTR(.exeMD5
f97d18bae067594234dc3ea8e06d10a1
SHA1fbc62c900d9a2e05d0fb5d544dbb0f4ae5119261
SHA2562f19b526f1f1dc0d9d4d771f6138e74bf778b4caa042b9f6699dad287b03e8ab
SHA5124e124fba18766da2630f3c6edc1e576a06ec263978335431e17ecf4d362c83be20c6bd29d451cd38985f2ba41f4ae4a4cd2db89cfc56726f01b31e5c5b143e60
-
C:\Users\Admin\AppData\Local\Temp\is-S8JTM.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
memory/388-132-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3500-140-0x0000000000000000-mapping.dmp
-
memory/3548-137-0x0000000000000000-mapping.dmp
-
memory/3972-133-0x0000000000000000-mapping.dmp
-
memory/3972-135-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB