f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2022 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe
Size

34KB
MD5

35cef4d8899d029b91292671489c1d70
SHA1

4fd6705c5797c80cf38316719c10ff0f36eeb149
SHA256

f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e
SHA512

6a3e0289b00ed2177345f558db05f38feb6d7d361f02f9ec5323975337ae9b1616a3dff033ebfb6e6dfd9e405b433b43203c1e3b2d5481244906fbaa11dd81cf
SSDEEP

768:AcQhyn/CSQ7JJLQCFNCMhKFZRtEltyF2JbRD+TGseKIfirwp:vQhyn/m7JJLZiMw3TEltyF25t+2ti

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4828	vabdau.exe
2404	hrl7F09.tmp

Loads dropped DLL 1 IoCs

pid	Process
4828	vabdau.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vabdau.exe	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe
File opened for modification	C:\Windows\SysWOW64\vabdau.exe	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe
File created	C:\Windows\SysWOW64\hra8.dll	vabdau.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1976	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 628	1976	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe	80
PID 1976 wrote to memory of 628	1976	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe	80
PID 1976 wrote to memory of 628	1976	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe	80
PID 4828 wrote to memory of 2404	4828	vabdau.exe	81
PID 4828 wrote to memory of 2404	4828	vabdau.exe	81
PID 4828 wrote to memory of 2404	4828	vabdau.exe	81

C:\Users\Admin\AppData\Local\Temp\f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe
"C:\Users\Admin\AppData\Local\Temp\f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F8A8DF~1.EXE > nul
  2⤵
  PID:628

C:\Windows\SysWOW64\vabdau.exe
C:\Windows\SysWOW64\vabdau.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\TEMP\hrl7F09.tmp
  C:\Windows\TEMP\hrl7F09.tmp
  2⤵
  - Executes dropped EXE
  PID:2404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hra8.dll

Filesize
42KB

MD5
650c15e84b4714971dc86b1d8b7e88c5

SHA1
7153d080e2d8b7e7c4bca5bd19fa98dc8b72d6bd

SHA256
602ea9d49bd459c8cc21cc6e28e7927c8b46a5ba1f7f353a71b0843824f1ff6d

SHA512
7345328c891fbe5493b29533bde3df2d4f0dabe5cb4980ed25d4bb17cbfab1ec4e350e1ba52e3d3155d66a13aea428d311104b887564beeece1b18c88ead6246

Download Submit
C:\Windows\SysWOW64\vabdau.exe

Filesize
34KB

MD5
35cef4d8899d029b91292671489c1d70

SHA1
4fd6705c5797c80cf38316719c10ff0f36eeb149

SHA256
f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e

SHA512
6a3e0289b00ed2177345f558db05f38feb6d7d361f02f9ec5323975337ae9b1616a3dff033ebfb6e6dfd9e405b433b43203c1e3b2d5481244906fbaa11dd81cf

Download Submit
C:\Windows\SysWOW64\vabdau.exe

Filesize
34KB

MD5
35cef4d8899d029b91292671489c1d70

SHA1
4fd6705c5797c80cf38316719c10ff0f36eeb149

SHA256
f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e

SHA512
6a3e0289b00ed2177345f558db05f38feb6d7d361f02f9ec5323975337ae9b1616a3dff033ebfb6e6dfd9e405b433b43203c1e3b2d5481244906fbaa11dd81cf

Download Submit
C:\Windows\TEMP\hrl7F09.tmp

Filesize
34KB

MD5
35cef4d8899d029b91292671489c1d70

SHA1
4fd6705c5797c80cf38316719c10ff0f36eeb149

SHA256
f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e

SHA512
6a3e0289b00ed2177345f558db05f38feb6d7d361f02f9ec5323975337ae9b1616a3dff033ebfb6e6dfd9e405b433b43203c1e3b2d5481244906fbaa11dd81cf

Download Submit
C:\Windows\Temp\hrl7F09.tmp

Filesize
34KB

MD5
35cef4d8899d029b91292671489c1d70

SHA1
4fd6705c5797c80cf38316719c10ff0f36eeb149

SHA256
f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e

SHA512
6a3e0289b00ed2177345f558db05f38feb6d7d361f02f9ec5323975337ae9b1616a3dff033ebfb6e6dfd9e405b433b43203c1e3b2d5481244906fbaa11dd81cf

Download Submit
memory/628-134-0x0000000000000000-mapping.dmp

Download
memory/2404-136-0x0000000000000000-mapping.dmp

Download