Analysis
-
max time kernel
140s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 19:47
Static task
static1
Behavioral task
behavioral1
Sample
c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe
Resource
win7-20220901-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe
-
Size
107KB
-
MD5
de39fd19490ba95f407aa1e7833ac268
-
SHA1
1e5bedf4a87b39551b0cd5bb2db2173ff47e03db
-
SHA256
c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416
-
SHA512
1ac38796cee2c667888c52447ea79c094c9361c6bebe96cefe66f8e62704540c13b1c35333b821dc5aec10b260cb715ea66f1e49b66cb680ad1b5afe2da71c7a
-
SSDEEP
1536:7pqFQnVOw66Txr2Lx0cMj7ZQejq0QnqUyDDkgJYIkgX4/i+VwFuSsy:8QV71A0/j7y6KqXPk6Y9E49w8Ssy
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\WINDOWS\LINKINFO.DLL c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe File created C:\WINDOWS\SFDLL.DLL c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe File created C:\Windows\olinkinfo.dll c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe File opened for modification C:\Windows\olinkinfo.dll c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1380 c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeShutdownPrivilege 824 explorer.exe Token: SeShutdownPrivilege 824 explorer.exe Token: SeShutdownPrivilege 824 explorer.exe Token: SeShutdownPrivilege 824 explorer.exe Token: SeShutdownPrivilege 824 explorer.exe Token: SeShutdownPrivilege 824 explorer.exe Token: SeShutdownPrivilege 824 explorer.exe Token: SeShutdownPrivilege 824 explorer.exe Token: SeShutdownPrivilege 824 explorer.exe Token: SeShutdownPrivilege 824 explorer.exe Token: 33 1532 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1532 AUDIODG.EXE Token: 33 1532 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1532 AUDIODG.EXE Token: SeShutdownPrivilege 824 explorer.exe Token: SeShutdownPrivilege 824 explorer.exe Token: SeShutdownPrivilege 824 explorer.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe 824 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1380 wrote to memory of 824 1380 c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe 27 PID 1380 wrote to memory of 824 1380 c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe 27 PID 1380 wrote to memory of 824 1380 c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe 27 PID 1380 wrote to memory of 824 1380 c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe"C:\Users\Admin\AppData\Local\Temp\c24e1ec2612bac413e22c4e361368e63c09d30a8638229657119f56729e4b416.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:824
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5681⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD51387ce50932aa43e069f3dd078152853
SHA12842272cff673d0bbaedb7eaac64eec798b7a5d6
SHA25649b5ebdb5244ed62c0ea91822e8faedab799edd85e00aa5119354a6946f208cb
SHA51213985d501e75ed2b718c7f9ed3ecee239628495d1e8017c147c4447cb489da290526eca709acb8236a4991854ab41ecd62970077fc1f84926dbee3ae4995b698