cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4

Analysis

max time kernel
190s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
Size

411KB
MD5

43f00ac70907c2ae19ee0cfbc78d9467
SHA1

d6fe65fab71bae498b443d673db1609cc2d20ffe
SHA256

cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4
SHA512

b4f160de78b2091a945a7e0c5c4c602791c5548f01b9d7403fd861f642115892f08ca5fd78b15e54dc6e68764096185545a61de720a1b69c527c21a034ed5414
SSDEEP

12288:Lc//////1TKbAmQFC7Np/psw+w3bP/2YXkkYn2KQo+d0o:Lc//////1TY7Np/D+AbPRYz+dX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4488	dlaler.exe
1108	dlaler.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 532 set thread context of 3912	532	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	79
PID 4488 set thread context of 1108	4488	dlaler.exe	81

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dlaler.exe	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
File opened for modification	C:\Windows\dlaler.exe	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
Token: SeDebugPrivilege	1108	dlaler.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1108	dlaler.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1108	dlaler.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 3912	532	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	79
PID 532 wrote to memory of 3912	532	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	79
PID 532 wrote to memory of 3912	532	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	79
PID 532 wrote to memory of 3912	532	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	79
PID 532 wrote to memory of 3912	532	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	79
PID 3912 wrote to memory of 4488	3912	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	80
PID 3912 wrote to memory of 4488	3912	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	80
PID 3912 wrote to memory of 4488	3912	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	80
PID 4488 wrote to memory of 1108	4488	dlaler.exe	81
PID 4488 wrote to memory of 1108	4488	dlaler.exe	81
PID 4488 wrote to memory of 1108	4488	dlaler.exe	81
PID 4488 wrote to memory of 1108	4488	dlaler.exe	81
PID 4488 wrote to memory of 1108	4488	dlaler.exe	81

C:\Users\Admin\AppData\Local\Temp\cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
"C:\Users\Admin\AppData\Local\Temp\cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Local\Temp\cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
  C:\Users\Admin\AppData\Local\Temp\cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\dlaler.exe
    C:\Windows\dlaler.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\dlaler.exe
      C:\Windows\dlaler.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\dlaler.exe

Filesize
411KB

MD5
43f00ac70907c2ae19ee0cfbc78d9467

SHA1
d6fe65fab71bae498b443d673db1609cc2d20ffe

SHA256
cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4

SHA512
b4f160de78b2091a945a7e0c5c4c602791c5548f01b9d7403fd861f642115892f08ca5fd78b15e54dc6e68764096185545a61de720a1b69c527c21a034ed5414

Download Submit
C:\Windows\dlaler.exe

Filesize
411KB

MD5
43f00ac70907c2ae19ee0cfbc78d9467

SHA1
d6fe65fab71bae498b443d673db1609cc2d20ffe

SHA256
cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4

SHA512
b4f160de78b2091a945a7e0c5c4c602791c5548f01b9d7403fd861f642115892f08ca5fd78b15e54dc6e68764096185545a61de720a1b69c527c21a034ed5414

Download Submit
C:\Windows\dlaler.exe

Filesize
411KB

MD5
43f00ac70907c2ae19ee0cfbc78d9467

SHA1
d6fe65fab71bae498b443d673db1609cc2d20ffe

SHA256
cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4

SHA512
b4f160de78b2091a945a7e0c5c4c602791c5548f01b9d7403fd861f642115892f08ca5fd78b15e54dc6e68764096185545a61de720a1b69c527c21a034ed5414

Download Submit
memory/1108-145-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1108-146-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3912-133-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3912-134-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3912-135-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3912-144-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download