Analysis
-
max time kernel
148s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 15:54
Static task
static1
Behavioral task
behavioral1
Sample
28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe
Resource
win10v2004-20220414-en
General
-
Target
28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe
-
Size
523KB
-
MD5
5473ca365a16752d4f366ed7fb157b26
-
SHA1
ff1f1da4a447f7ce24df960376f26dbf296f6a2e
-
SHA256
28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe
-
SHA512
ef25f88aeb3e424632b5136023cb4beb62c1b26957dcaf95a092d6082e91a87b25e72bdce7dacbe90bff1cabcf1fd662158ce2df716862e3e67f9f70db218f6b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
pmwin.exepid process 3744 pmwin.exe -
NTFS ADS 1 IoCs
Processes:
28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exedescription ioc process File created \??\c:\programdata\3f506c878b\pmwin.exe:Zone.Identifier 28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 2536 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2536 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exepmwin.exedescription pid process target process PID 3196 wrote to memory of 3744 3196 28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe pmwin.exe PID 3196 wrote to memory of 3744 3196 28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe pmwin.exe PID 3196 wrote to memory of 3744 3196 28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe pmwin.exe PID 3744 wrote to memory of 4076 3744 pmwin.exe REG.exe PID 3744 wrote to memory of 4076 3744 pmwin.exe REG.exe PID 3744 wrote to memory of 4076 3744 pmwin.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe"C:\Users\Admin\AppData\Local\Temp\28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
\??\c:\programdata\3f506c878b\pmwin.exec:\programdata\3f506c878b\pmwin.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\3f506c878b3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3fc 0x4181⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\0MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\3f506c878b\pmwin.exeFilesize
523KB
MD55473ca365a16752d4f366ed7fb157b26
SHA1ff1f1da4a447f7ce24df960376f26dbf296f6a2e
SHA25628f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe
SHA512ef25f88aeb3e424632b5136023cb4beb62c1b26957dcaf95a092d6082e91a87b25e72bdce7dacbe90bff1cabcf1fd662158ce2df716862e3e67f9f70db218f6b
-
\??\c:\programdata\3f506c878b\pmwin.exeFilesize
523KB
MD55473ca365a16752d4f366ed7fb157b26
SHA1ff1f1da4a447f7ce24df960376f26dbf296f6a2e
SHA25628f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe
SHA512ef25f88aeb3e424632b5136023cb4beb62c1b26957dcaf95a092d6082e91a87b25e72bdce7dacbe90bff1cabcf1fd662158ce2df716862e3e67f9f70db218f6b
-
memory/3196-133-0x0000000000140000-0x0000000000150000-memory.dmpFilesize
64KB
-
memory/3744-130-0x0000000000000000-mapping.dmp
-
memory/3744-134-0x0000000000640000-0x0000000000650000-memory.dmpFilesize
64KB
-
memory/4076-136-0x0000000000000000-mapping.dmp