Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe
Resource
win10v2004-20220812-en
General
-
Target
2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe
-
Size
3.5MB
-
MD5
2bbeaf65fe70ffad6405332b7e19b43e
-
SHA1
544c3fe26871bb2d3f940c6b1e466e2280af7df5
-
SHA256
2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8
-
SHA512
1e11b36439550995616bd98ea647ce45f2055d2c1022f9fd25536f48dd00d5487185b668e2c543f6d79ff9c34fb30ab74c50de5218ca160274f96fd473be569f
-
SSDEEP
98304:DTp2wpw5ufHPJ0jqDp6FYskEhipjhj8EJqaF1t:D7w5KPqG96+skC5QqaF1
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4884-132-0x0000000002A00000-0x0000000002BCD000-memory.dmp vmprotect behavioral2/memory/4884-134-0x0000000002A00000-0x0000000002BCD000-memory.dmp vmprotect behavioral2/memory/4884-135-0x0000000002A00000-0x0000000002BCD000-memory.dmp vmprotect -
Loads dropped DLL 1 IoCs
Processes:
2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exepid process 4884 2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exepid process 4884 2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe 4884 2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exepid process 4884 2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 3292 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3292 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exepid process 4884 2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe 4884 2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe 4884 2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe 4884 2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe"C:\Users\Admin\AppData\Local\Temp\2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x2e01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
532KB
MD5d6580cc678d0a80596628cd3cab61ff1
SHA1db1390e3e7f711187fd4313473f1553308701414
SHA256265aa2c0a2fa572e6787560a4942b5f5ae72cc857b99ede35c29305794b81ab7
SHA512f990e2d25d03e01ca848a3f20d4c3a572cea7a83c6bf07dcfa71eea20c3b0579a358c73419b52dfeaf9e745967622b1c262c9fa9fcf7a96d325b1b690a2d6662
-
memory/4884-132-0x0000000002A00000-0x0000000002BCD000-memory.dmpFilesize
1.8MB
-
memory/4884-134-0x0000000002A00000-0x0000000002BCD000-memory.dmpFilesize
1.8MB
-
memory/4884-135-0x0000000002A00000-0x0000000002BCD000-memory.dmpFilesize
1.8MB
-
memory/4884-140-0x0000000002A00000-0x0000000002BCD000-memory.dmpFilesize
1.8MB