8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511

Analysis

max time kernel
60s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2022, 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
Size

33KB
MD5

7c01f72d9cd576b450079a66ee346ab9
SHA1

4cd2b7588575109c9a667f41b6ad810d29c50acc
SHA256

8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511
SHA512

5db6c109b39194367c76f306f2b795cfffebec15bd0ad89f6d384bd565ad032a13aeb4de1676f8ab0244440e322c0e66a23cb08314cd69adb99e13c291a64b19
SSDEEP

384:dkXYJD5aKS/Xd4T/p5g5YOJrE2fwHl9dW9aBcpMQiW4zmkZXOfq1IK2ZkLChvPwV:d4KUgg5YEJIhXbOfq1Wkmmpd5

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\SHUTDOWN.EXE-E7D5C9CC.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\MSEDGE.EXE-78F14B88.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-156D43F1.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-145A3777.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-99F89D15.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-EDE0F878.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-F7F7800E.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\WLRMDR.EXE-C2B47318.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-C4B5739C.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-AA27F323.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-E45D8788.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\WMIADAP.EXE-F8DFDFA2.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\PfSvPerfStats.bin	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0A03C9B5.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-894C9E34.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-C5BE1C43.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-976DB280.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E8196656.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SGRMBROKER.EXE-0CA31CC6.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-16AF9B6E.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-32DA767E.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-4BA0E729.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\Trace1.fx	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\COMPPKGSRV.EXE-21DBED9C.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1589E4C3.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\TIWORKER.EXE-C101ABCD.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-7CFEDEA3.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-F027B880.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-570206E5.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-A73FB9CB.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-373C0EED.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SEARCHINDEXER.EXE-4A6353B9.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\WMIC.EXE-A7D06383.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\FODHELPER.EXE-8ECD01E5.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\NGEN.EXE-AE594A6B.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-23EA2E5B.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-D217A328.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-4DC9A20E.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SPPSVC.EXE-B0F8131B.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-FF8EBD82.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-6F2A95AF.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7F337F0A.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTRANSFERHOST.EXE-CF5B50C1.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-D2B15AE2.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-8E7849D3.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\AgAppLaunch.db	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\J3YVEE.EXE-40A97F16.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-0FDCD1CB.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-5AC380EC.pf	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1612	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe

C:\Users\Admin\AppData\Local\Temp\8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe
"C:\Users\Admin\AppData\Local\Temp\8a667416b998d7114c73c1592ea2a8d7ff28475a5c3955204edcf1650daa3511.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1612-132-0x0000000000ED0000-0x0000000000EDE000-memory.dmp

Filesize
56KB

Download
memory/1612-133-0x000000001DA40000-0x000000001DA62000-memory.dmp

Filesize
136KB

Download
memory/1612-134-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1612-135-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download