Analysis
-
max time kernel
167s -
max time network
184s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
04-12-2022 12:59
General
-
Target
e855a72e8e762e0b8f6e2a7baae92c41bb76f2131c53aade8adf64e1ee18a4ad.exe
-
Size
303KB
-
MD5
17d0f3a43ddfbd9972b85fc82afcc7cf
-
SHA1
959ccb51a5cbb6a1a36b0318ca4358d4b0a6cd1a
-
SHA256
e855a72e8e762e0b8f6e2a7baae92c41bb76f2131c53aade8adf64e1ee18a4ad
-
SHA512
a0128bc83b90b76ad6b03a18c12bbac98cff4a9b2d83f56b2bcd2d0a75ff01d943afe415b2f579c86030b8b223957ede17f40c72325b70b5b3a8e9ae05797514
-
SSDEEP
6144:D6I4f+Ub8DwRb18eFesZXXGDW2rNr6iaGE2YpVkF0CAvEO4:+UIb1uFHRdaGE2Y8F0dsO4
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e855a72e8e762e0b8f6e2a7baae92c41bb76f2131c53aade8adf64e1ee18a4ad.exe"C:\Users\Admin\AppData\Local\Temp\e855a72e8e762e0b8f6e2a7baae92c41bb76f2131c53aade8adf64e1ee18a4ad.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\crh.exe"C:\Users\Admin\AppData\Local\crh.exe" -gav C:\Users\Admin\AppData\Local\Temp\e855a72e8e762e0b8f6e2a7baae92c41bb76f2131c53aade8adf64e1ee18a4ad.exe2⤵
- Executes dropped EXE
- Deletes itself
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303KB
MD517d0f3a43ddfbd9972b85fc82afcc7cf
SHA1959ccb51a5cbb6a1a36b0318ca4358d4b0a6cd1a
SHA256e855a72e8e762e0b8f6e2a7baae92c41bb76f2131c53aade8adf64e1ee18a4ad
SHA512a0128bc83b90b76ad6b03a18c12bbac98cff4a9b2d83f56b2bcd2d0a75ff01d943afe415b2f579c86030b8b223957ede17f40c72325b70b5b3a8e9ae05797514
-
Filesize
303KB
MD517d0f3a43ddfbd9972b85fc82afcc7cf
SHA1959ccb51a5cbb6a1a36b0318ca4358d4b0a6cd1a
SHA256e855a72e8e762e0b8f6e2a7baae92c41bb76f2131c53aade8adf64e1ee18a4ad
SHA512a0128bc83b90b76ad6b03a18c12bbac98cff4a9b2d83f56b2bcd2d0a75ff01d943afe415b2f579c86030b8b223957ede17f40c72325b70b5b3a8e9ae05797514
-
Filesize
303KB
MD517d0f3a43ddfbd9972b85fc82afcc7cf
SHA1959ccb51a5cbb6a1a36b0318ca4358d4b0a6cd1a
SHA256e855a72e8e762e0b8f6e2a7baae92c41bb76f2131c53aade8adf64e1ee18a4ad
SHA512a0128bc83b90b76ad6b03a18c12bbac98cff4a9b2d83f56b2bcd2d0a75ff01d943afe415b2f579c86030b8b223957ede17f40c72325b70b5b3a8e9ae05797514
-
-
Filesize
381KB
-
Filesize
381KB
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
381KB
-
Filesize
381KB
-
Filesize
8KB