066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8

Analysis

max time kernel
23s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8.exe
Size

6.7MB
MD5

fa8b4a926c4a92d9c7030754507a3b43
SHA1

9dd10cf6d3f62ca0c5442098d7384638745865f7
SHA256

066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8
SHA512

6eff68adbdbc2a2ebceb1d13471864f29b4a57e7475e171e44f516e772b9ffc44d55813ac624f9331dbbf5a0d1847c3fda6557ac48224528fdd05b706f35975c
SSDEEP

196608:zowzVD6ParFwZnAVkPHPtblKA+qTIlNrTuxm:zbGaRAPHK7Nra

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1100	xlng.tmp

Loads dropped DLL 1 IoCs

pid	Process
1600	066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1600	066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8.exe
1100	xlng.tmp

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1600	066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8.exe
1100	xlng.tmp
1100	xlng.tmp
1100	xlng.tmp
1100	xlng.tmp
1100	xlng.tmp
1100	xlng.tmp
1100	xlng.tmp
1100	xlng.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1744	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1744	AUDIODG.EXE
Token: 33	1744	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1744	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1600	066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1100	1600	066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8.exe	28
PID 1600 wrote to memory of 1100	1600	066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8.exe	28
PID 1600 wrote to memory of 1100	1600	066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8.exe	28
PID 1600 wrote to memory of 1100	1600	066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8.exe	28

C:\Users\Admin\AppData\Local\Temp\066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8.exe
"C:\Users\Admin\AppData\Local\Temp\066b913c144499e82ec4940f69e0c9808ec67bcf1286444bd1a354574d5fe0d8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\xlng.tmp
  C:\Users\Admin\AppData\Local\Temp\xlng.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xlng.tmp

Filesize
3.0MB

MD5
50b1f557ab4bfadde6b37d685af8f381

SHA1
d1dea4b4bbc183f0fadc0f7950c208729748efc7

SHA256
12efe4a4d3e31ddc59bd3519d351f52081c34e5440840c995e9c7c1b233597a8

SHA512
72401a0a682332a887e45939143368fa0588c12e22d365497b2ba83055405a7c13da756b1ff5725e3cd8f475640f95ef972448e78801caa39a5b143fe3ea5ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlng.tmp

Filesize
3.0MB

MD5
50b1f557ab4bfadde6b37d685af8f381

SHA1
d1dea4b4bbc183f0fadc0f7950c208729748efc7

SHA256
12efe4a4d3e31ddc59bd3519d351f52081c34e5440840c995e9c7c1b233597a8

SHA512
72401a0a682332a887e45939143368fa0588c12e22d365497b2ba83055405a7c13da756b1ff5725e3cd8f475640f95ef972448e78801caa39a5b143fe3ea5ead

Download Submit
\Users\Admin\AppData\Local\Temp\xlng.tmp

Filesize
3.0MB

MD5
50b1f557ab4bfadde6b37d685af8f381

SHA1
d1dea4b4bbc183f0fadc0f7950c208729748efc7

SHA256
12efe4a4d3e31ddc59bd3519d351f52081c34e5440840c995e9c7c1b233597a8

SHA512
72401a0a682332a887e45939143368fa0588c12e22d365497b2ba83055405a7c13da756b1ff5725e3cd8f475640f95ef972448e78801caa39a5b143fe3ea5ead

Download Submit
memory/1100-65-0x0000000100000000-0x0000000100992000-memory.dmp

Filesize
9.6MB

Download
memory/1100-63-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/1100-67-0x0000000100000000-0x0000000100992000-memory.dmp

Filesize
9.6MB

Download
memory/1100-68-0x0000000100000000-0x0000000100992000-memory.dmp

Filesize
9.6MB

Download
memory/1600-59-0x0000000000400000-0x00000000011E2000-memory.dmp

Filesize
13.9MB

Download
memory/1600-58-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x0000000000400000-0x00000000011E2000-memory.dmp

Filesize
13.9MB

Download
memory/1600-54-0x0000000000400000-0x00000000011E2000-memory.dmp

Filesize
13.9MB

Download
memory/1600-66-0x00000000067D0000-0x0000000007162000-memory.dmp

Filesize
9.6MB

Download
memory/1600-69-0x0000000000400000-0x00000000011E2000-memory.dmp

Filesize
13.9MB

Download