2561b5c0b97704fa5206d7000a1018f5924397036b82d08f056f7521c80d34e4

Analysis

max time kernel
147s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/09/2022, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2561b5c0b97704fa5206d7000a1018f5924397036b82d08f056f7521c80d34e4.exe
Size

400KB
MD5

c7bcb15956d864e39039d3613316c675
SHA1

d7f1399f4abf230ffb02427585d6f306b9d6843d
SHA256

2561b5c0b97704fa5206d7000a1018f5924397036b82d08f056f7521c80d34e4
SHA512

69340e4c0bdc6f7fd329923453d4ba0958ec64a60374f4245010b95665bc028239129b5782e5e574466c8d7ad7d96b653f2193f814e1de0e7e411a95f5426b6d
SSDEEP

12288:CHJfYhK0bUticPtFZboqWIN+hKyDvp7fcMFEWBmcFgzU:CJWu+pFEs/FKU

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
900	2561b5c0b97704fa5206d7000a1018f5924397036b82d08f056f7521c80d34e4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1920	explorer.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	2561b5c0b97704fa5206d7000a1018f5924397036b82d08f056f7521c80d34e4.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: 33	648	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	648	AUDIODG.EXE
Token: 33	648	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	648	AUDIODG.EXE
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe

C:\Users\Admin\AppData\Local\Temp\2561b5c0b97704fa5206d7000a1018f5924397036b82d08f056f7521c80d34e4.exe
"C:\Users\Admin\AppData\Local\Temp\2561b5c0b97704fa5206d7000a1018f5924397036b82d08f056f7521c80d34e4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x188
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1920-55-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download
memory/1920-56-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download