ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 15:43

Target

ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe
Size

383KB
MD5

590b17eda3a688880192e0cd6bbf14d5
SHA1

5c49e3ab878d73c4154680abce20ef5bbcae991a
SHA256

ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353
SHA512

c07b673e4619c968d0adf198baffe4ab95534e1e567ddc2f78111c7610d4a95521738521ba807e5d68a335c808005f7b9e5416c7f76cc8bc3d6304a9f6f67010
SSDEEP

6144:dQjhLkMFvFZRcBdFrUnJvwQ3+5w7zO68tPFXEVdjIpQQD6Q2fzMV/s35MQ:ywMpFZ0FsJYD5w/O6oFXEV5uQQD69fze

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2824-138-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
3868	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 3868	2824	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe	25

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4968	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4968	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3868	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe
3868	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 3868	2824	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe	25
PID 2824 wrote to memory of 3868	2824	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe	25
PID 2824 wrote to memory of 3868	2824	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe	25
PID 2824 wrote to memory of 3868	2824	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe	25
PID 2824 wrote to memory of 3868	2824	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe	25
PID 2824 wrote to memory of 3868	2824	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe	25
PID 2824 wrote to memory of 3868	2824	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe	25
PID 2824 wrote to memory of 3868	2824	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe	25
PID 2824 wrote to memory of 3868	2824	ad21a6421df02fa81e694f0f09584f147b6b7a16b0bbfa809694634e7184d353.exe	25

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d4 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Users\Admin\AppData\Local\Temp\bmC289.tmp

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
memory/2824-141-0x0000000002110000-0x0000000002115000-memory.dmp

Filesize
20KB

Download
memory/2824-139-0x00000000020C0000-0x0000000002100000-memory.dmp

Filesize
256KB

Download
memory/2824-138-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3868-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-143-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3868-144-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download