a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb

Analysis

max time kernel
164s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe
Size

496KB
MD5

de2d04d041d04698b27d96ac2a003424
SHA1

271a06a5b086c0affe959879d1765ac371ab1d6f
SHA256

a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb
SHA512

d195653e02680d5086b0679996e2c52f2443364d5ab78128144a447d82f09bd1aaaa07cea89e15417b342c03511de655d25ae91ae80602f486c9333605ba32bc
SSDEEP

12288:8o/7HvvSYUXAkNPwE9/2nx+VOY6XBBR2+qESlm+X:8o/7P6JA4o8OCSxBR2+PS

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe	a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe	a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3040	a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2700	3040	a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe	85
PID 3040 wrote to memory of 2700	3040	a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe	85
PID 3040 wrote to memory of 2700	3040	a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe	85
PID 2700 wrote to memory of 4984	2700	csc.exe	88
PID 2700 wrote to memory of 4984	2700	csc.exe	88
PID 2700 wrote to memory of 4984	2700	csc.exe	88

C:\Users\Admin\AppData\Local\Temp\a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe
"C:\Users\Admin\AppData\Local\Temp\a14a94f9fdab5ba048e1028f9a7df8193cbf6feccb39c1e84cf12c1c88fe80cb.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nydfgbb9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DF4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1DF3.tmp"
    3⤵
    PID:4984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1DF4.tmp

Filesize
1KB

MD5
bb09b4256ee853fd2ef8d7171f6747d2

SHA1
4b8c150aff6a97d064d466a859beda84b71d4b4f

SHA256
6e8d712e6f4947114d228c027fcc4da169035a6de4650908770b9a6cfd408534

SHA512
b81ca52486d8d9dc612ac3a5bdeb6bd4cc4baec1fcf6eefa83a400975cc344d5d60029e7fdb98254983d269b83f835ca350a867251e457c85e356f67ae437c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\nydfgbb9.dll

Filesize
5KB

MD5
eeeb0e1d237862bed227bf09c09ed4d0

SHA1
12faa7303c77959ed7733795628d4c05664fce41

SHA256
d8c37e5738737af76788b35e73355ebfcff26bb656c8ae5c85850b22bb249ad1

SHA512
df84596b03d86d5dc2499175493a70f05e11a10c0f1927978a8af8e4e8308cb232a77bd0ae1e78f25d8b9c5167b94519b8d72f8faa8de8eaa577742bab5ff9ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1DF3.tmp

Filesize
652B

MD5
45c3d8c97e366a2d5cd4e98fdba486c7

SHA1
2f5dcc4748934d412ea6c33e8d856bec829e9a70

SHA256
f0f85ec48cfdab7a4c52ed2a5534d39aef5519bcb7e27e5e92d63e0da82ff96d

SHA512
0c899ad8fd053b07306fe8ee1db668bee1aebfcdea869346d46701d630f1eeb15f871ae0c538f80c0166641cb6316da5ef85fbeeb05cb58ac3a5585af8486c51

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nydfgbb9.0.cs

Filesize
4KB

MD5
2bc50d88957abf4e0cb6fe9c856c882f

SHA1
4bd2ec2628c6e7a1acf7eabafaa0a9d6c428207f

SHA256
d3820365da0d704cf8f350c98d4fa69f38a8beb8742560eff178d854160127cc

SHA512
60285ce9a7eb2366f04a819ddea4d2b383f32c1f99a16009c0d5ca7384cd3290bafd889db87fcf91abca53be365c1e66cacc502d380f95dcaf0b1a87dca7f4a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nydfgbb9.cmdline

Filesize
206B

MD5
93a0d29c1212ec8cfb0662735c4d6346

SHA1
4428e11369e6296ef2487177681dfc899699360d

SHA256
c55074a50d094ff92ddbc2d9457247a0ff281bf3bc13fe25afa46208618adc14

SHA512
3232e1967dea2fb6dc43272d1a025f626a766957a99797282e2618ef8110000609d13d5cc91193b9b91772c9fcc28a843db7c696db1603c2d3b52bd9b98a2756

Download Submit
memory/3040-132-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/3040-134-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download