12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066

Analysis

max time kernel
152s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe
Size

647KB
MD5

6964ee62d4beebd5da6f288350db6b10
SHA1

91f59ee4f3589c4579cbf53bd5e62e583b8e265d
SHA256

12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066
SHA512

1033c4a13e11ba0bd6b16e4187bd709620ab161f44b35bbc322c61d8b63d3ad35af3c85d3738fd120f125fd3aac1e873e71ff1d6af6e3d3f2ba7f68786ab8fd9
SSDEEP

6144:HyH7xOc6H5c6HcT66vlmQ6C/uT4HJJJJJJDa8Fc3pGNWXcIPNaAar8Qa:Ha/a5b4Zov

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
840	svchost.exe
4664	12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe
1528	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
4664	12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4884	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4884	AUDIODG.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 840	1676	12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe	84
PID 1676 wrote to memory of 840	1676	12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe	84
PID 1676 wrote to memory of 840	1676	12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe	84
PID 840 wrote to memory of 4664	840	svchost.exe	85
PID 840 wrote to memory of 4664	840	svchost.exe	85
PID 840 wrote to memory of 4664	840	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe
"C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe
    "C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4664

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe

Filesize
612KB

MD5
97ea456e257b71cec2b36000d66a2cdc

SHA1
3aedb25f95ddcf9c9697c2221f03a77e6bac512f

SHA256
a95dd946acbe215a4bd9e214e42829a515283da5c85884f00a2004b4ee903bbf

SHA512
4b0f2a5a36adb39f0646fd52d7ac53c1fb3528fe9a3fbd226353ec6d81eefddefa92d0914b4c42797caae67c8c6ae41b08800975b39f6a5e4608fe77dab2d296

Download Submit
C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe

Filesize
612KB

MD5
97ea456e257b71cec2b36000d66a2cdc

SHA1
3aedb25f95ddcf9c9697c2221f03a77e6bac512f

SHA256
a95dd946acbe215a4bd9e214e42829a515283da5c85884f00a2004b4ee903bbf

SHA512
4b0f2a5a36adb39f0646fd52d7ac53c1fb3528fe9a3fbd226353ec6d81eefddefa92d0914b4c42797caae67c8c6ae41b08800975b39f6a5e4608fe77dab2d296

Download Submit
C:\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
9KB

MD5
780d14604d49e3c634200c523def8351

SHA1
e208ef6f421d2260070a9222f1f918f1de0a8eeb

SHA256
844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

SHA512
a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
a2dcf14a9e2b1003b484fa7b3203f168

SHA1
8da3c84acbeaa3dc76a2ceff518460ae37a12089

SHA256
5980affb855b100280a2d82a0bc56feb6c5121e3ec0d15869def2c37c6390c5d

SHA512
8ffbb737a4a6b8ca2a27b0ec47c53e1aed90d626725e91f4d97228deeb03aff3b60be4ef004b83d2368ec54da448d32befb5655613cabfb7a752cfcdd9e2855a

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
a2dcf14a9e2b1003b484fa7b3203f168

SHA1
8da3c84acbeaa3dc76a2ceff518460ae37a12089

SHA256
5980affb855b100280a2d82a0bc56feb6c5121e3ec0d15869def2c37c6390c5d

SHA512
8ffbb737a4a6b8ca2a27b0ec47c53e1aed90d626725e91f4d97228deeb03aff3b60be4ef004b83d2368ec54da448d32befb5655613cabfb7a752cfcdd9e2855a

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
a2dcf14a9e2b1003b484fa7b3203f168

SHA1
8da3c84acbeaa3dc76a2ceff518460ae37a12089

SHA256
5980affb855b100280a2d82a0bc56feb6c5121e3ec0d15869def2c37c6390c5d

SHA512
8ffbb737a4a6b8ca2a27b0ec47c53e1aed90d626725e91f4d97228deeb03aff3b60be4ef004b83d2368ec54da448d32befb5655613cabfb7a752cfcdd9e2855a

Download Submit
memory/4664-138-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4664-141-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download