50d011ed5e7a16c3274acc809c1811d816f227596f59c27d0c41eb097901cf46

Analysis

max time kernel
256s
max time network
217s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/04/2023, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9998.exe
Size

12KB
MD5

8b7780825f6c61c6350dac7964af2cdd
SHA1

6e728dc5a8d8fdedb8e95325afc090e1ccdce7a3
SHA256

50d011ed5e7a16c3274acc809c1811d816f227596f59c27d0c41eb097901cf46
SHA512

0694aac1a9d85b57b1c076d08962f3eb050a41a6791b13a80e6683816741647877fb7ec15038a8803af8ec00e4b2908705502f288e77bb686095595c75da3e9f
SSDEEP

96:TUp+1K7xoZKqPJUVcZgt21JK/1DcR1wsPnspyxbzMNFPH9rzri9XkLmD755tfMss:8doY7Vtth1D9Q+F/VO9Xf55tfVDi1b

Score

1^/10

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
988	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
608	taskkill.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1936	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	844	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	844	AUDIODG.EXE
Token: 33	844	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	844	AUDIODG.EXE
Token: SeDebugPrivilege	988	tasklist.exe
Token: SeDebugPrivilege	1936	taskmgr.exe
Token: SeDebugPrivilege	608	taskkill.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe
1936	taskmgr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 988	1572	CMD.exe	31
PID 1572 wrote to memory of 988	1572	CMD.exe	31
PID 1572 wrote to memory of 988	1572	CMD.exe	31
PID 1572 wrote to memory of 1936	1572	CMD.exe	33
PID 1572 wrote to memory of 1936	1572	CMD.exe	33
PID 1572 wrote to memory of 1936	1572	CMD.exe	33
PID 1572 wrote to memory of 608	1572	CMD.exe	34
PID 1572 wrote to memory of 608	1572	CMD.exe	34
PID 1572 wrote to memory of 608	1572	CMD.exe	34
PID 1572 wrote to memory of 1736	1572	CMD.exe	37
PID 1572 wrote to memory of 1736	1572	CMD.exe	37
PID 1572 wrote to memory of 1736	1572	CMD.exe	37

C:\Users\Admin\AppData\Local\Temp\9998.exe
"C:\Users\Admin\AppData\Local\Temp\9998.exe"
1⤵
PID:1128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\CMD.exe
"C:\Windows\system32\CMD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\system32\taskmgr.exe
  taskmgr
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1936
- C:\Windows\system32\taskkill.exe
  taskkill /f /im svchost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\system32\wininit.exe
  wininit
  2⤵
  PID:1736

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-56-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1936-54-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1936-55-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download