af1934aaf8568f4dcef87bfd782cbc17ad1fe1757cebaf84cd5ef510ab8a4590

Analysis

max time kernel
143s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-09-2022 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

McAfee_Installer_serial_EAJ2du6QN92S5ciEQRGJ3g2_key_affid_1249_akey.exe
Size

79.7MB
MD5

d71b768695e1528a79fe09208fbc3fa9
SHA1

d2b0135f0ee93421c7a72c565aef39f21b21951a
SHA256

af1934aaf8568f4dcef87bfd782cbc17ad1fe1757cebaf84cd5ef510ab8a4590
SHA512

172db981be0f9f1cec2c1a20d7f3a98225dad4f1a5a140f558a1e947a644962f09b857c8be4e15e2586aacbc58cfeae46a7367be6f38b8935014cd16fb52c5d6
SSDEEP

1572864:DFKLm9nBR1XAjxHfccd7kNqKf6uRK7/QlMWIrnNBypju1JFo:DFAm93toHfcQ7kLCuR/udrNQpMJFo

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

McAfee_Installer_serial_EAJ2du6QN92S5ciEQRGJ3g2_key_affid_1249_akey.exe

pid	process
1520	McAfee_Installer_serial_EAJ2du6QN92S5ciEQRGJ3g2_key_affid_1249_akey.exe
1520	McAfee_Installer_serial_EAJ2du6QN92S5ciEQRGJ3g2_key_affid_1249_akey.exe
1520	McAfee_Installer_serial_EAJ2du6QN92S5ciEQRGJ3g2_key_affid_1249_akey.exe
1520	McAfee_Installer_serial_EAJ2du6QN92S5ciEQRGJ3g2_key_affid_1249_akey.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1452	AUDIODG.EXE
Token: 33	1452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1452	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\McAfee_Installer_serial_EAJ2du6QN92S5ciEQRGJ3g2_key_affid_1249_akey.exe
"C:\Users\Admin\AppData\Local\Temp\McAfee_Installer_serial_EAJ2du6QN92S5ciEQRGJ3g2_key_affid_1249_akey.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\OobeFldr.dll,ShowWelcomeCenter LaunchedBy_StartMenuShortcut
1⤵
PID:1000

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1416

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x574
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-55-0x000007FEFB801000-0x000007FEFB803000-memory.dmp

Filesize
8KB

Download
memory/1416-57-0x0000000072391000-0x0000000072393000-memory.dmp

Filesize
8KB

Download
memory/1520-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download