e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-05-2023 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe
Size

2.2MB
MD5

2032bc30b58069c446007e2f8d91c75b
SHA1

beab01a5544464bb50f326d80fe450910b897d62
SHA256

e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1
SHA512

2989ac76eec170becd44776b555d701a0c48f985b9568ead52aeda188bc2e0d3a183ea7824d795951c10aead721210b71285eb2df6c77a638908c1ebbeae411d
SSDEEP

49152:GosN5uxEXiemlxN/jh8APpMvO7qM7D1MuGssjK3gyo4Bbir8OlgwSml:GosNYKX9Uxxh8kkCunL23foYzHml

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\SysWOW64\administratortestpermissions10041 cmd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\administratortestpermissions10041	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main	e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1836	AUDIODG.EXE
Token: 33	1836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1836	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe

pid	process
2024	e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe
2024	e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe
2024	e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe
2024	e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe
2024	e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe
2024	e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe

description	pid	process	target process
PID 2024 wrote to memory of 1984	2024	e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe	cmd.exe
PID 2024 wrote to memory of 1984	2024	e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe	cmd.exe
PID 2024 wrote to memory of 1984	2024	e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe	cmd.exe
PID 2024 wrote to memory of 1984	2024	e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe
"C:\Users\Admin\AppData\Local\Temp\e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo t>C:\Windows\system32\administratortestpermissions10041
  2⤵
  - Drops file in System32 directory
  PID:1984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\administratortestpermissions10041

Filesize
3B

MD5
5696feb53a6ad364e3da313d7bb865c2

SHA1
43ac804404d56225c9e0e44018b43c0e46b4be53

SHA256
9e8b03ea3b48312f8e3a15bec7aa85c96a362e2776ac6bc3dfd74a40022bcc8a

SHA512
e4771bcec6bb86578ddb042a126683675e3cca83614f22bf44721b7cfddaa067ed162e692650e48a474d50e3de4728a6bfe4083500580998152cd2b4918b8516

Download Submit
memory/2024-54-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/2024-55-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/2024-56-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/2024-57-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/2024-58-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/2024-59-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/2024-60-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/2024-66-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/2024-70-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download