Analysis
-
max time kernel
99s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
Resource
win10v2004-20221111-en
General
-
Target
9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
-
Size
324KB
-
MD5
37f612fda2c0fd1f1f5a63e91aebbb2d
-
SHA1
6d00de148a63f1dde8988c2cd0e9562f00d30304
-
SHA256
9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1
-
SHA512
27a7acc4bb9f7d4f142ce75945f91676c0f8fb2d342818f2ed3fdd280b50feb09bd5df15a0ef5946f249f8ae8c8de868f8167b3e0e77f83bd4942c6c2086a92f
-
SSDEEP
6144:cQoFKbHYm+SA9tBB5GBcRudjttS+jiNhF2sGdYJf4cWjZmK:DUms9x5GEOjtQ+jacsG9
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1220 vjv.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 1220 vjv.exe -
Loads dropped DLL 2 IoCs
pid Process 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2044 explorer.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 2044 explorer.exe Token: SeShutdownPrivilege 2044 explorer.exe Token: SeShutdownPrivilege 2044 explorer.exe Token: SeShutdownPrivilege 2044 explorer.exe Token: SeShutdownPrivilege 2044 explorer.exe Token: SeShutdownPrivilege 2044 explorer.exe Token: SeShutdownPrivilege 2044 explorer.exe Token: SeShutdownPrivilege 2044 explorer.exe Token: SeShutdownPrivilege 2044 explorer.exe Token: SeShutdownPrivilege 2044 explorer.exe Token: 33 1384 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1384 AUDIODG.EXE Token: 33 1384 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1384 AUDIODG.EXE Token: SeShutdownPrivilege 2044 explorer.exe Token: SeShutdownPrivilege 2044 explorer.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 888 wrote to memory of 1220 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 27 PID 888 wrote to memory of 1220 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 27 PID 888 wrote to memory of 1220 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 27 PID 888 wrote to memory of 1220 888 9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe"C:\Users\Admin\AppData\Local\Temp\9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Users\Admin\AppData\Local\vjv.exe"C:\Users\Admin\AppData\Local\vjv.exe" -gav C:\Users\Admin\AppData\Local\Temp\9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe2⤵
- Executes dropped EXE
- Deletes itself
PID:1220
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2044
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4901⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
324KB
MD5e3cb0dff8db02e6f748edc6b2afc6281
SHA1793e852ed6f46f78f9f736501eb837b6556764c5
SHA256ca7a618a2e0df4e370dbda441e1c6aebe92011eb3d0e3f62e008ca4ad485263f
SHA512d9d9ceccf869ea17793c0ec538b353335676210d28ebe60a67da5c3512e87abda223558dbaaee8874f130f281b20a2984b5f62ff9641b8f3dc6e21112448485c
-
Filesize
324KB
MD5e3cb0dff8db02e6f748edc6b2afc6281
SHA1793e852ed6f46f78f9f736501eb837b6556764c5
SHA256ca7a618a2e0df4e370dbda441e1c6aebe92011eb3d0e3f62e008ca4ad485263f
SHA512d9d9ceccf869ea17793c0ec538b353335676210d28ebe60a67da5c3512e87abda223558dbaaee8874f130f281b20a2984b5f62ff9641b8f3dc6e21112448485c
-
Filesize
324KB
MD5e3cb0dff8db02e6f748edc6b2afc6281
SHA1793e852ed6f46f78f9f736501eb837b6556764c5
SHA256ca7a618a2e0df4e370dbda441e1c6aebe92011eb3d0e3f62e008ca4ad485263f
SHA512d9d9ceccf869ea17793c0ec538b353335676210d28ebe60a67da5c3512e87abda223558dbaaee8874f130f281b20a2984b5f62ff9641b8f3dc6e21112448485c