45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-05-2023 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe
Size

1.7MB
MD5

4f24c94182a964c6706c1920a73822c0
SHA1

5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0
SHA256

45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3
SHA512

d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd
SSDEEP

49152:zsRpndZn496l3tGPHbbe2q6d5axY5zGbpSFUxTJ:zsRfZn4gVKeOwozwRv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
540	Engine.exe

Loads dropped DLL 1 IoCs

pid	Process
1632	45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
336	powershell.exe
336	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	336	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 540	1632	45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe	27
PID 1632 wrote to memory of 540	1632	45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe	27
PID 1632 wrote to memory of 540	1632	45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe	27
PID 1632 wrote to memory of 540	1632	45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe	27
PID 1632 wrote to memory of 540	1632	45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe	27
PID 1632 wrote to memory of 540	1632	45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe	27
PID 1632 wrote to memory of 540	1632	45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe	27
PID 540 wrote to memory of 1728	540	Engine.exe	28
PID 540 wrote to memory of 1728	540	Engine.exe	28
PID 540 wrote to memory of 1728	540	Engine.exe	28
PID 540 wrote to memory of 1728	540	Engine.exe	28
PID 1728 wrote to memory of 552	1728	cmd.exe	30
PID 1728 wrote to memory of 552	1728	cmd.exe	30
PID 1728 wrote to memory of 552	1728	cmd.exe	30
PID 1728 wrote to memory of 552	1728	cmd.exe	30
PID 552 wrote to memory of 336	552	cmd.exe	31
PID 552 wrote to memory of 336	552	cmd.exe	31
PID 552 wrote to memory of 336	552	cmd.exe	31
PID 552 wrote to memory of 336	552	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe
"C:\Users\Admin\AppData\Local\Temp\45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\SETUP_47588\Engine.exe
  C:\Users\Admin\AppData\Local\Temp\SETUP_47588\Engine.exe /TH_ID=_1460 /OriginExe="C:\Users\Admin\AppData\Local\Temp\45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd < Yugoslavia
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP_47588\00000#Cancer

Filesize
101KB

MD5
d4c65e691f5a42538b02417f60c042be

SHA1
7726b2bd52dc94a9d3e79f2e82e92dd8820997ad

SHA256
d71b5a80bc3d6fce71c6fc6efb62542bd5536d7d3805d92067a29f512bd12c33

SHA512
e487f30b27b178a09d381802767f7425d63e6538bc9b0d5406ea39cf7f7c2c586d53850e460b897a49014b61e75ffbe817b4a93b9460a18ed89d223048dab62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\00001#Foto

Filesize
199KB

MD5
60ad6b661b7d878936b63c39e7d94555

SHA1
655ca3b2c75ad015a02470c92e8d7b9d58541524

SHA256
650f797d33d5ecf29e1876324de2507a3b97cad3cc00c1e25ff02420a2e4e70e

SHA512
f44b3d36f26666c079354085471d44b2838c24553fd0797e12c3c96b14794aa24073574379e1e0abce3b38aaaa179dd1bf05c51ca3831aff82c90fe6699cc606

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\00002#Gp

Filesize
74KB

MD5
4f39ba8b1c907e52d53215ea79a1896f

SHA1
975c70c4973697cce66c149a00cc8b20e79526be

SHA256
ace9abce7314ca6736b6b6acf5a1f96c7d24f7764678f99ffb795a897a6e7bf2

SHA512
e862921fbad7a8118a1c12f1c9ca33b7f41251b69b0dc48dcbf3c40350174f5db8946c75797b0042e3d9633821b66e523212a1998a901f712bc8b0053d1e7572

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\00003#Management

Filesize
154KB

MD5
b0525ab549845919679f78453f554c1f

SHA1
3d2179acba0634cc71003502923c3a4a52b31d14

SHA256
31c86eb615672da32e64560553d46cb18c25e7ea794e4637cfac3c4be0a9fb47

SHA512
b983c3517cf878e99ad94d0227c25edb52e82c5ead93c7cbfa6ea2543d483db20be2f210029237131e8e5517497e910abcdb119edf88cdb7eac9e61c4f2a3087

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\00004#Piece

Filesize
43KB

MD5
bf7a0cdf40d3aa9fc94c9accd73298d2

SHA1
a049a7323a8468d1bbd3e96a1ace4266fce4429c

SHA256
96eab71166cc7df7ec1eae988487d76d463c080f1da98b194bc60a1701e5d3ae

SHA512
6a0eb5de2f23ff986c90835b7b24e5299fdb882186bcc88fece6a6a4363871dda00b8313ee729557778cf4c14456e9c25d79108be35f31df1d9b697f5d89009e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\00005#Prototype

Filesize
33KB

MD5
ad1b6b16c6c6c23f01288183183ed0c1

SHA1
b60363ebd25d9953f202423b34e0c81fa24dafb6

SHA256
94fca15d4913ccc5955aef8942cb475306a6815190fe27ff742b40a808ff860e

SHA512
d461bf0dd5b20b1cb5dc07128be156b3ab144607c5794956635ca7ce90a2d643d539b2f6dd063c8889e01e074db74cacd41940a3d3bb53cd2406f77f0ccac6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\00006#Stands

Filesize
1.2MB

MD5
4a1f67fc0cacc5cf1c9ab1ab05e25ec6

SHA1
e955600ae7c0f6bec15a4126f1be10acc6a6b875

SHA256
ed299bf8533de2b3f0965295aa5be53e8486dfa0887e20de0b4c6c2fd3b30b4b

SHA512
e0f1a52209c13937afcdb954e59daba04d80f82cba702788e1d6d359f2e4dd189d01455f32a167b6014c68e5d670686d2ace1bfea0b8c31b3c91f2f052669675

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\00007#Sue

Filesize
157KB

MD5
f51e203d3f2ac1e4f6ed5a89f5805fcb

SHA1
76195a680f2e178c03d35719a0adc776fe901289

SHA256
c6a7beb722fefad0a7f6f2057cbfda9a8cec198e56f2946191aeb9de7578b2ca

SHA512
8c2ab71bf608066d3a63cdac2924d8a6d6c983e8257aed07691f5dace70442de5e72ba0f3bfe8b6395314178ddde219ca5005e65aed305165a06cae2dba16bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\00008#Welfare

Filesize
54KB

MD5
f5802553964d59c3874a7ea7f0313c68

SHA1
106f605a2e7704cb8341b27ca982f5f70d09bc0f

SHA256
35cc1497dc397cf46815bfb41953a134170bbea3fd0d5178ca45b6bbb01084f9

SHA512
8f495fc3ceda40788b3dc7a2eec223e3d40b5edf1ff4ed159f20a256f1ba71d8baba135b3b1bf9f6f07851dc99bd4e29fd2af1bc7984bccca4fc390c0fc83b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\00009#Wines

Filesize
110KB

MD5
31ae6922272bfd6c6a863b679940d005

SHA1
df93b1021c3bb2087b249a82d4cbcd599659fcd6

SHA256
77031c9bf9a778abef4672a2b749dd7fb662a29b3e69ea391fe04dd4944601d8

SHA512
f0765279accdefbf611088e92433d258700bc97d28468b6cbd34c1be5b7cf27a54763009214bd4ce052c4bec87debd9464e2f040028fba40fb32da20d82669bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\00010#Yugoslavia

Filesize
15KB

MD5
9852c7adb40127bf8e29ae2346482129

SHA1
d5decd97f329dc62f824a17b204a214a83a1292b

SHA256
85ad2b1fd775ecd859922d5550f76f87f8e8e9dd84d878ee786450a8aefee1ac

SHA512
0a89fa89340df63de408b106ac4503a649ac2bf60978f40452263b8690d81cedf9d812e4b71988a84e6fdb36fdd8dfc0ec30a78d1df2f0cb044b7afa3accc56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\Engine.exe

Filesize
1.3MB

MD5
e4656c54b03a03f816ab33101a324cdc

SHA1
48cd8d9c5a20d36362214d727e184fe4e0075d4f

SHA256
bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

SHA512
c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_47588\Setup.txt

Filesize
2KB

MD5
9f82e028a899fe0dded45d76ed1ed06f

SHA1
fc0e0f3e34451087e28d8c51c486a52934e59d4a

SHA256
3dd4285197d7ad7004789eee6464594666ae8e5d913bec23e57151608bd3b109

SHA512
22d4ad271965c8c5fbe038ead00cb374c299e89f7d669ea7657064e5b3c18f4dc7f9d51b102dc388c6f79e805c7196c085edf6e990e6bb33c41ac36854192b18

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP_47588\Engine.exe

Filesize
1.3MB

MD5
e4656c54b03a03f816ab33101a324cdc

SHA1
48cd8d9c5a20d36362214d727e184fe4e0075d4f

SHA256
bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

SHA512
c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

Download Submit
memory/336-90-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/336-91-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/540-87-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/540-93-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/540-94-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1632-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download