5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff

Analysis

max time kernel
117s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe
Size

1006KB
MD5

837310f4504edf070e6bf245b6b65756
SHA1

ce53babf2807f0aa135a8a10d06b4ba4c3097513
SHA256

5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff
SHA512

3fa486d504a3c073d343e0931f9d7f7f81fdcc345f43bc1bc5b97f1549787b7ccf1d99919e458c416f3089cd197b90b7cefc906a94619e33b161e33e437ea95a
SSDEEP

24576:EStU4gf2EW5A2DJr/kS4vGIk6v3HCvol3FM64Zf/80abD:Eh43Dp/wPHCvol3K64Zf/8xb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2104	Windows.exe

Loads dropped DLL 12 IoCs

pid	Process
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\APFUXM.DAT	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe
File created	C:\Windows\DBNEVK.DAT	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe
File created	C:\Windows\WSVLVR.DAT	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe
File opened for modification	C:\Windows\Windows.exe	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe
File created	C:\Windows\uninstal.bat	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe
File created	C:\Windows\TUSJVD.DAT	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe
File created	C:\Windows\TXEFEO.DAT	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe
File created	C:\Windows\LCQBTU.DAT	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe
File created	C:\Windows\Windows.exe	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2104	Windows.exe
2104	Windows.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe
Token: SeDebugPrivilege	2104	Windows.exe
Token: SeAssignPrimaryTokenPrivilege	2104	Windows.exe
Token: SeIncreaseQuotaPrivilege	2104	Windows.exe
Token: SeSecurityPrivilege	2104	Windows.exe
Token: SeTakeOwnershipPrivilege	2104	Windows.exe
Token: SeLoadDriverPrivilege	2104	Windows.exe
Token: SeSystemtimePrivilege	2104	Windows.exe
Token: SeShutdownPrivilege	2104	Windows.exe
Token: SeSystemEnvironmentPrivilege	2104	Windows.exe
Token: SeUndockPrivilege	2104	Windows.exe
Token: SeManageVolumePrivilege	2104	Windows.exe
Token: SeDebugPrivilege	2104	Windows.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2104	Windows.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe
2104	Windows.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 4808	2104	Windows.exe	82
PID 2104 wrote to memory of 4808	2104	Windows.exe	82
PID 4772 wrote to memory of 2232	4772	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe	81
PID 4772 wrote to memory of 2232	4772	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe	81
PID 4772 wrote to memory of 2232	4772	5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe	81

C:\Users\Admin\AppData\Local\Temp\5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe
"C:\Users\Admin\AppData\Local\Temp\5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:2232

C:\Windows\Windows.exe
C:\Windows\Windows.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\APFUXM.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\APFUXM.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\APFUXM.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\DBNEVK.DAT

Filesize
122KB

MD5
69c410f159553e56ab5a3d94784e26c9

SHA1
4106505d1666d99c923d94072e8ca80142027b66

SHA256
d431390b789478afba0e9b315b5159933cae6dfb5393f229b49d11286c981d0f

SHA512
8a572c34e010b7566cc8b2c38a8f2d5bfa9defbb10c5affba3847b88641a031fe936a156da3985e034be3b601fce66a6bc612f085c70656a782239f58b4ab994

Download Submit
C:\Windows\DBNEVK.DAT

Filesize
122KB

MD5
69c410f159553e56ab5a3d94784e26c9

SHA1
4106505d1666d99c923d94072e8ca80142027b66

SHA256
d431390b789478afba0e9b315b5159933cae6dfb5393f229b49d11286c981d0f

SHA512
8a572c34e010b7566cc8b2c38a8f2d5bfa9defbb10c5affba3847b88641a031fe936a156da3985e034be3b601fce66a6bc612f085c70656a782239f58b4ab994

Download Submit
C:\Windows\DBNEVK.DAT

Filesize
122KB

MD5
69c410f159553e56ab5a3d94784e26c9

SHA1
4106505d1666d99c923d94072e8ca80142027b66

SHA256
d431390b789478afba0e9b315b5159933cae6dfb5393f229b49d11286c981d0f

SHA512
8a572c34e010b7566cc8b2c38a8f2d5bfa9defbb10c5affba3847b88641a031fe936a156da3985e034be3b601fce66a6bc612f085c70656a782239f58b4ab994

Download Submit
C:\Windows\LCQBTU.DAT

Filesize
11KB

MD5
61f434e7f45b6dcf0b6d95f762922311

SHA1
933cf800b32045f4f79d620272925afeda95bbf2

SHA256
0b9e94f7921f4707cfaf9cf81448ac959126b7f02ce5cd61f51ddc457b4d28fc

SHA512
8b6fefa8ef506c23db6e0342553d63b3520926782d02d93c972ba123813357e51bd2660015be01332d93ae8e46cbdda65b279766a0957d8e31106dc42298ba80

Download Submit
C:\Windows\LCQBTU.DAT

Filesize
11KB

MD5
61f434e7f45b6dcf0b6d95f762922311

SHA1
933cf800b32045f4f79d620272925afeda95bbf2

SHA256
0b9e94f7921f4707cfaf9cf81448ac959126b7f02ce5cd61f51ddc457b4d28fc

SHA512
8b6fefa8ef506c23db6e0342553d63b3520926782d02d93c972ba123813357e51bd2660015be01332d93ae8e46cbdda65b279766a0957d8e31106dc42298ba80

Download Submit
C:\Windows\LCQBTU.DAT

Filesize
11KB

MD5
61f434e7f45b6dcf0b6d95f762922311

SHA1
933cf800b32045f4f79d620272925afeda95bbf2

SHA256
0b9e94f7921f4707cfaf9cf81448ac959126b7f02ce5cd61f51ddc457b4d28fc

SHA512
8b6fefa8ef506c23db6e0342553d63b3520926782d02d93c972ba123813357e51bd2660015be01332d93ae8e46cbdda65b279766a0957d8e31106dc42298ba80

Download Submit
C:\Windows\TUSJVD.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\TUSJVD.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\TUSJVD.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\TXEFEO.DAT

Filesize
11KB

MD5
c998d8a5ae2f5ae6eb941217752cfb50

SHA1
bd2ee5d947f1d727afd952b066c64ceefbcc3879

SHA256
f03c18b5d94d2e8bc2dcff111bea2279f78a1ec78261069fea635f75eafee1e6

SHA512
89737072de9114f687036d1b1aa0e338f7040ef6074de7c4a9e639995ddc6b73a965e968426752420d900a7141aed2f03ba05ca874b1dd025d28d4401aa0b4ed

Download Submit
C:\Windows\TXEFEO.DAT

Filesize
11KB

MD5
c998d8a5ae2f5ae6eb941217752cfb50

SHA1
bd2ee5d947f1d727afd952b066c64ceefbcc3879

SHA256
f03c18b5d94d2e8bc2dcff111bea2279f78a1ec78261069fea635f75eafee1e6

SHA512
89737072de9114f687036d1b1aa0e338f7040ef6074de7c4a9e639995ddc6b73a965e968426752420d900a7141aed2f03ba05ca874b1dd025d28d4401aa0b4ed

Download Submit
C:\Windows\TXEFEO.DAT

Filesize
11KB

MD5
c998d8a5ae2f5ae6eb941217752cfb50

SHA1
bd2ee5d947f1d727afd952b066c64ceefbcc3879

SHA256
f03c18b5d94d2e8bc2dcff111bea2279f78a1ec78261069fea635f75eafee1e6

SHA512
89737072de9114f687036d1b1aa0e338f7040ef6074de7c4a9e639995ddc6b73a965e968426752420d900a7141aed2f03ba05ca874b1dd025d28d4401aa0b4ed

Download Submit
C:\Windows\WSVLVR.DAT

Filesize
11KB

MD5
5ce3d7a45f708877733c875f6c3dee9b

SHA1
50b672429ad64e00165fc0cf7ca9f1cc71263964

SHA256
bfcd681b8fa64f9e1f54b96872edad8ff0f3c4fa682eef8ac212fa5200548935

SHA512
e4ee2f513dca8ba89fe24028d53a42156386af8c41fe999330f7fc223df3e58b33671395613b9c6e79e9a0a24cbde8c8ce7101fa77bc399c242dca378a190f20

Download Submit
C:\Windows\WSVLVR.DAT

Filesize
11KB

MD5
5ce3d7a45f708877733c875f6c3dee9b

SHA1
50b672429ad64e00165fc0cf7ca9f1cc71263964

SHA256
bfcd681b8fa64f9e1f54b96872edad8ff0f3c4fa682eef8ac212fa5200548935

SHA512
e4ee2f513dca8ba89fe24028d53a42156386af8c41fe999330f7fc223df3e58b33671395613b9c6e79e9a0a24cbde8c8ce7101fa77bc399c242dca378a190f20

Download Submit
C:\Windows\WSVLVR.DAT

Filesize
11KB

MD5
5ce3d7a45f708877733c875f6c3dee9b

SHA1
50b672429ad64e00165fc0cf7ca9f1cc71263964

SHA256
bfcd681b8fa64f9e1f54b96872edad8ff0f3c4fa682eef8ac212fa5200548935

SHA512
e4ee2f513dca8ba89fe24028d53a42156386af8c41fe999330f7fc223df3e58b33671395613b9c6e79e9a0a24cbde8c8ce7101fa77bc399c242dca378a190f20

Download Submit
C:\Windows\Windows.exe

Filesize
1006KB

MD5
837310f4504edf070e6bf245b6b65756

SHA1
ce53babf2807f0aa135a8a10d06b4ba4c3097513

SHA256
5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff

SHA512
3fa486d504a3c073d343e0931f9d7f7f81fdcc345f43bc1bc5b97f1549787b7ccf1d99919e458c416f3089cd197b90b7cefc906a94619e33b161e33e437ea95a

Download Submit
C:\Windows\Windows.exe

Filesize
1006KB

MD5
837310f4504edf070e6bf245b6b65756

SHA1
ce53babf2807f0aa135a8a10d06b4ba4c3097513

SHA256
5d2e09340948fd1d8836b13a058dcc7ae96363d701703ad6521822f0638854ff

SHA512
3fa486d504a3c073d343e0931f9d7f7f81fdcc345f43bc1bc5b97f1549787b7ccf1d99919e458c416f3089cd197b90b7cefc906a94619e33b161e33e437ea95a

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
fdceb83df72ffd42b6734d3cfc81b74d

SHA1
6c350c199907a2100634d9cb8c41d4d6010d1fb9

SHA256
d50bb7af5ed7e3e7144a31595a6c51de817729b218519db76b7c05f6a72dd18b

SHA512
dc86407eae49eb3e3c68ef0fef07a7080d4f501911d59fc30a8e411a170b1c87ebd43f23e423056acc7c09b79f89fd196b7cfb422586ab4941fc06f041d36e74

Download Submit
memory/2104-143-0x0000000001720000-0x0000000001744000-memory.dmp

Filesize
144KB

Download
memory/2104-139-0x0000000001700000-0x0000000001713000-memory.dmp

Filesize
76KB

Download
memory/2104-150-0x0000000001760000-0x0000000001772000-memory.dmp

Filesize
72KB

Download
memory/2104-157-0x0000000001750000-0x000000000175F000-memory.dmp

Filesize
60KB

Download
memory/2104-158-0x0000000001780000-0x000000000178F000-memory.dmp

Filesize
60KB

Download
memory/2104-159-0x0000000001790000-0x000000000179F000-memory.dmp

Filesize
60KB

Download