Analysis
-
max time kernel
41s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 16:32
Behavioral task
behavioral1
Sample
350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
Resource
win10v2004-20220812-en
General
-
Target
350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
-
Size
1.4MB
-
MD5
5baa9158268baf72cff4b6680f6b6f15
-
SHA1
31dc9d7e1b2a40b69973709e14ff96575648915e
-
SHA256
350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da
-
SHA512
cd0fc497ee8632263ed0f54150e766a88109fd5e226c6353b1b478ebc5c7b30a0282cfe4bb8357696c16dec6cada05f287322d4ae720ff88f5e3dbd5b9f506d9
-
SSDEEP
24576:QlbJbJRM9+zDmidLD8/xK7tHyQNBBeOs/k580WAwY9UymmLU7Gd4E4:Qlb6Im8ogtyQLIB4qTBG2E4
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exedescription ioc process File created C:\WINDOWS\SysWOW64\drivers\OOEYnL.sys 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ficjs\ImagePath = "\\??\\C:\\WINDOWS\\system32\\drivers\\OOEYnL.sys" 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe -
Processes:
resource yara_rule behavioral1/memory/1852-55-0x0000000019140000-0x0000000019474000-memory.dmp vmprotect behavioral1/memory/1852-56-0x0000000019140000-0x0000000019474000-memory.dmp vmprotect behavioral1/memory/1852-58-0x0000000019140000-0x0000000019474000-memory.dmp vmprotect behavioral1/memory/1852-59-0x0000000019140000-0x0000000019474000-memory.dmp vmprotect -
Processes:
350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exepid process 1852 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe 1852 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe 1852 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exepid process 1852 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exedescription pid process Token: SeDebugPrivilege 1852 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe Token: SeLoadDriverPrivilege 1852 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exepid process 1852 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe 1852 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe 1852 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe 1852 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe"C:\Users\Admin\AppData\Local\Temp\350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1852
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c1⤵PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1852-54-0x0000000075521000-0x0000000075523000-memory.dmpFilesize
8KB
-
memory/1852-55-0x0000000019140000-0x0000000019474000-memory.dmpFilesize
3.2MB
-
memory/1852-56-0x0000000019140000-0x0000000019474000-memory.dmpFilesize
3.2MB
-
memory/1852-58-0x0000000019140000-0x0000000019474000-memory.dmpFilesize
3.2MB
-
memory/1852-59-0x0000000019140000-0x0000000019474000-memory.dmpFilesize
3.2MB
-
memory/1852-60-0x0000000072210000-0x0000000072301000-memory.dmpFilesize
964KB