b5d9d38d8285c25ea78f51e8ca4f733a32288304877008200f4fe387d6f274c9

Resubmissions

11/05/2023, 15:59

230511-te7wwsgh51 10

11/05/2023, 15:55

230511-tc28mafc9s 7

Analysis

max time kernel
39s
max time network
52s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/05/2023, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chase_Bank_Statement0143121402341.exe
Size

46.4MB
MD5

3b5b953161b67511571722028157e57b
SHA1

1850bc9b1e5b15318c248f12c8e306a304971c10
SHA256

b5d9d38d8285c25ea78f51e8ca4f733a32288304877008200f4fe387d6f274c9
SHA512

08a9fca3864faba290998d700fe29ed2adbe55e7418d605fb017ea030b476b88429a0c5f77867b7504cc0e7f51af9538112e98796c7033fd96a63aaa41946d35
SSDEEP

786432:7ZHQRRSZ5s9OYQ9huQDAwpu4MGxoxgoACrN4CDKsI9b:7ZHX69WhuQDAwsGKGc+CDPOb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1900	Hgaprkgjlavzuyfc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1236	Chase_Bank_Statement0143121402341.exe
1452	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	1592	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1592	AUDIODG.EXE
Token: 33	1592	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1592	AUDIODG.EXE
Token: SeDebugPrivilege	1452	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1452	1236	Chase_Bank_Statement0143121402341.exe	31
PID 1236 wrote to memory of 1452	1236	Chase_Bank_Statement0143121402341.exe	31
PID 1236 wrote to memory of 1452	1236	Chase_Bank_Statement0143121402341.exe	31
PID 1236 wrote to memory of 1900	1236	Chase_Bank_Statement0143121402341.exe	33
PID 1236 wrote to memory of 1900	1236	Chase_Bank_Statement0143121402341.exe	33
PID 1236 wrote to memory of 1900	1236	Chase_Bank_Statement0143121402341.exe	33
PID 1236 wrote to memory of 1900	1236	Chase_Bank_Statement0143121402341.exe	33

C:\Users\Admin\AppData\Local\Temp\Chase_Bank_Statement0143121402341.exe
"C:\Users\Admin\AppData\Local\Temp\Chase_Bank_Statement0143121402341.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Users\Admin\AppData\Local\Temp\Hgaprkgjlavzuyfc.exe
  "C:\Users\Admin\AppData\Local\Temp\Hgaprkgjlavzuyfc.exe"
  2⤵
  - Executes dropped EXE
  PID:1900

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hgaprkgjlavzuyfc.exe

Filesize
20.5MB

MD5
763d29f3949185346e36f2c261dcf754

SHA1
94eed1e6057371c40302b5fb3e39aa7762b677cb

SHA256
e3d449347d9a8ff9284bcd209d3278b46f5c88862de612ef7ed489150630f745

SHA512
e5304282f60d5cb1010ebd3cb3f91c7e4a8c11943ac09475dcf45e63e23017b89c804d47a1ed8e106cc4d075497b6f7c7302c078577949c7af20ba99c3145829

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hgaprkgjlavzuyfc.exe

Filesize
16.4MB

MD5
a5b5f65a1c9a6bca6aba490f7b85dccc

SHA1
955a26910c6c8da0b2e3b3aad8025bf6636e93a4

SHA256
55d4493da82bea2f4484df55840846ea74365957d37fa9169f2e5b69b2be4d4a

SHA512
0bd367ca703f44e7987c8529bde20c822477507c266a211441f7673ae9836a55882f4166c39982a6e1374237f61a97ceaaaacfa393815bba098222561ac6700f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hgaprkgjlavzuyfc.exe

Filesize
5.6MB

MD5
075415c3bc8537a92b0eb0a23190a847

SHA1
495ac3b2fdb54799896a11c61b7afcd8664504fa

SHA256
7d73c13f12c27a5a2b8c30a8ae8536f7fbbbb69fcb2a42ced78753319c978e19

SHA512
2f8d4e2195221223c8d9067743c77df63ae03192427067d6b36269043339a1563da16f4e8003876078eb2d6d319900df73be042eacd89a6f1a146f500d4fb3e1

Download Submit
memory/1236-68-0x0000000077610000-0x0000000077612000-memory.dmp

Filesize
8KB

Download
memory/1236-71-0x000007FEFD5F0000-0x000007FEFD5F2000-memory.dmp

Filesize
8KB

Download
memory/1236-59-0x00000000775E0000-0x00000000775E2000-memory.dmp

Filesize
8KB

Download
memory/1236-60-0x00000000775F0000-0x00000000775F2000-memory.dmp

Filesize
8KB

Download
memory/1236-61-0x00000000775F0000-0x00000000775F2000-memory.dmp

Filesize
8KB

Download
memory/1236-62-0x00000000775F0000-0x00000000775F2000-memory.dmp

Filesize
8KB

Download
memory/1236-63-0x0000000077600000-0x0000000077602000-memory.dmp

Filesize
8KB

Download
memory/1236-64-0x0000000077600000-0x0000000077602000-memory.dmp

Filesize
8KB

Download
memory/1236-65-0x0000000077600000-0x0000000077602000-memory.dmp

Filesize
8KB

Download
memory/1236-66-0x0000000077610000-0x0000000077612000-memory.dmp

Filesize
8KB

Download
memory/1236-67-0x0000000077610000-0x0000000077612000-memory.dmp

Filesize
8KB

Download
memory/1236-56-0x00000000775D0000-0x00000000775D2000-memory.dmp

Filesize
8KB

Download
memory/1236-70-0x000007FEFD5F0000-0x000007FEFD5F2000-memory.dmp

Filesize
8KB

Download
memory/1236-58-0x00000000775E0000-0x00000000775E2000-memory.dmp

Filesize
8KB

Download
memory/1236-73-0x000007FEFD650000-0x000007FEFD652000-memory.dmp

Filesize
8KB

Download
memory/1236-74-0x000007FEFD650000-0x000007FEFD652000-memory.dmp

Filesize
8KB

Download
memory/1236-75-0x000000013F1C0000-0x0000000142035000-memory.dmp

Filesize
46.5MB

Download
memory/1236-55-0x00000000775D0000-0x00000000775D2000-memory.dmp

Filesize
8KB

Download
memory/1236-54-0x00000000775D0000-0x00000000775D2000-memory.dmp

Filesize
8KB

Download
memory/1236-57-0x00000000775E0000-0x00000000775E2000-memory.dmp

Filesize
8KB

Download
memory/1452-84-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1452-85-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1452-83-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1452-82-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1452-81-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download