cd0772a4089bfa360622ba94a52ccce9ffcf82064aa23862073dad58423cadde

Resubmissions

31/05/2023, 15:21 UTC

230531-srdyxagb71 5

31/05/2023, 14:46 UTC

230531-r5g22sfe98 7

Analysis

max time kernel
134s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2023, 15:21 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mcafe.exe
Size

638KB
MD5

76166c4ad30e3da0060f41fe59e465f1
SHA1

31d887a689a2a6fab9723589bd02d5c15ec09924
SHA256

908d00c0d3a8fe68b7cb0da154143ac81e357b1ca043ff25ac3581d2186defcb
SHA512

e0ed4e2af54add6d449d9b4ac0ac291ed9195a96d55a44c956fd7d32f7144ef432d9da14a5d6ff00fb3e94e79df8a7278338f3c475936b62a5da3848ab538f47
SSDEEP

3072:FgXpJozm2lkCsuYDbM2ZZQ4MGGfviMQYTQbrEQ:IpC62lkCMcGGHikTk

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\XInput9_1_0.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\kernel32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\UxTheme.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\d3d11.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\profapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\wbemcomn.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\UxTheme.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\DLL\psapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\ntdll.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\msvcp_win.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\rpcrt4.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\bcrypt.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\XInput9_1_0.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\iphlpapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\fastprox.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\MMDevAPI.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\msvcp_win.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\winhttp.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\rpcrt4.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\setupapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\cfgmgr32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\kernelbase.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\exe\WindowsPlayer_Master_mono_x64.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\msvcp_win.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\rpcrt4.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\WinTypes.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\dbghelp.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\user32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\crypt32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\CLBCatQ.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\UMPDC.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\ntdll.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\win32u.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\gdi32full.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\ResourcePolicyClient.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\Windows.Storage.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\UnityPlayer_Win64_mono_x64.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\sechost.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\imm32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\crypt32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\WLDP.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\d3d11.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\mono-2.0-bdwgc.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\msvcrt.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\opengl32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\wbemsvc.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\cfgmgr32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\wbemprox.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dbghelp.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\sspicli.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\shell32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\Kernel.Appcore.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\DXCore.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\DLL\audioses.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\advapi32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\wbemsvc.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\dwmapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\msctf.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\CLBCatQ.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\XInput9_1_0.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\CoreMessaging.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\devobj.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\CoreUIComponents.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dwmapi.pdb	Mcafe.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dll\Amsi.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\crypt32.pdb	Mcafe.exe
File opened for modification	C:\Windows\DXCore.pdb	Mcafe.exe
File opened for modification	C:\Windows\devobj.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\ws2_32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\UxTheme.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\bcrypt.pdb	Mcafe.exe
File opened for modification	C:\Windows\imm32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\d3d11.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\sechost.pdb	Mcafe.exe
File opened for modification	C:\Windows\ws2_32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\MMDevAPI.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\ucrtbase.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\advapi32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\winhttp.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\wbemcomn.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\TextInputFramework.pdb	Mcafe.exe
File opened for modification	C:\Windows\bcryptprimitives.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\rsaenh.pdb	Mcafe.exe
File opened for modification	C:\Windows\version.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\DLL\psapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\audioses.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\CoreUIComponents.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\msvcp_win.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\Kernel.Appcore.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\d3d10warp.pdb	Mcafe.exe
File opened for modification	C:\Windows\ucrtbase.pdb	Mcafe.exe
File opened for modification	C:\Windows\combase.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\wbemprox.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\wbemcomn.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\WLDP.pdb	Mcafe.exe
File opened for modification	C:\Windows\glu32.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\shcore.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\shell32.pdb	Mcafe.exe
File opened for modification	C:\Windows\DLL\kernel32.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\imm32.pdb	Mcafe.exe
File opened for modification	C:\Windows\opengl32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\Amsi.pdb	Mcafe.exe
File opened for modification	C:\Windows\ResourcePolicyClient.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\ucrtbase.pdb	Mcafe.exe
File opened for modification	C:\Windows\CoreUIComponents.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\kernelbase.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\user32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\crypt32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\DXCore.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\CoreUIComponents.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\DLL\kernel32.pdb	Mcafe.exe
File opened for modification	C:\Windows\user32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\gdi32.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\ole32.pdb	Mcafe.exe
File opened for modification	C:\Windows\rpcrt4.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\cfgmgr32.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\DXCore.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\ntdll.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\oleaut32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\glu32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\iphlpapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\wbemprox.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\CoreMessaging.pdb	Mcafe.exe
File opened for modification	C:\Windows\ntdll.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\win32u.pdb	Mcafe.exe
File opened for modification	C:\Windows\psapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\bcrypt.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\msctf.pdb	Mcafe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4436	5024	WerFault.exe	80

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3016	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5024	Mcafe.exe

C:\Users\Admin\AppData\Local\Temp\Mcafe.exe
"C:\Users\Admin\AppData\Local\Temp\Mcafe.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5024 -s 2480
  2⤵
  - Program crash
  PID:4436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d4 0x2d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 5024 -ip 5024
1⤵
PID:2024

Network

DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

user168498.7ci.ru

Mcafe.exe

Remote address:

8.8.8.8:53

Request

user168498.7ci.ru

IN A

Response

user168498.7ci.ru

IN A

168.119.91.34
GET

http://user168498.7ci.ru/abra.bat

Mcafe.exe

Remote address:

168.119.91.34:80

Request

GET /abra.bat HTTP/1.1
Connection: keep-alive
Host: user168498.7ci.ru

Response

HTTP/1.1 200 OK

Server: nginx/1.23.1
Date: Wed, 31 May 2023 15:44:34 GMT
Content-Type: application/x-msdos-program
Content-Length: 500
Connection: keep-alive
Last-Modified: Fri, 19 May 2023 23:03:59 GMT
ETag: "1f4-5fc13efb38747"
Accept-Ranges: bytes
DNS

34.91.119.168.in-addr.arpa

Remote address:

8.8.8.8:53

Request

34.91.119.168.in-addr.arpa

IN PTR

Response

34.91.119.168.in-addr.arpa

IN PTR

g1cishostru
DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

1.77.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.77.109.52.in-addr.arpa

IN PTR

Response
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response

168.119.91.34:80

http://user168498.7ci.ru/abra.bat

http

Mcafe.exe

305 B
893 B
5
3

HTTP Request

GET http://user168498.7ci.ru/abra.bat

HTTP Response

200
127.0.0.1:49737

Mcafe.exe
52.152.110.14:443

260 B
5
84.53.175.11:80

322 B
7
52.152.110.14:443

260 B
5
52.152.110.14:443

260 B
5
52.152.110.14:443

260 B
5
52.152.110.14:443

260 B
5
52.152.110.14:443

260 B
5

8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

user168498.7ci.ru

dns

Mcafe.exe

63 B
79 B
1
1

DNS Request

user168498.7ci.ru

DNS Response

168.119.91.34
8.8.8.8:53

34.91.119.168.in-addr.arpa

dns

72 B
99 B
1
1

DNS Request

34.91.119.168.in-addr.arpa
8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

1.77.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

1.77.109.52.in-addr.arpa
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5024-133-0x000001CA953D0000-0x000001CA953E0000-memory.dmp

Filesize
64KB

Download
memory/5024-135-0x000001CC5AA90000-0x000001CC5AAB0000-memory.dmp

Filesize
128KB

Download
memory/5024-134-0x000001CA953B0000-0x000001CA953C0000-memory.dmp

Filesize
64KB

Download
memory/5024-136-0x000001CC7C4C0000-0x000001CC7C4D0000-memory.dmp

Filesize
64KB

Download
memory/5024-137-0x000001CC7AD40000-0x000001CC7AD50000-memory.dmp

Filesize
64KB

Download
memory/5024-138-0x000001CC7AD50000-0x000001CC7AD60000-memory.dmp

Filesize
64KB

Download
memory/5024-139-0x000001CC7ADB0000-0x000001CC7ADC0000-memory.dmp

Filesize
64KB

Download
memory/5024-140-0x000001CC7B040000-0x000001CC7B050000-memory.dmp

Filesize
64KB

Download
memory/5024-142-0x000001CC9D850000-0x000001CC9D860000-memory.dmp

Filesize
64KB

Download
memory/5024-146-0x000001CC9E890000-0x000001CC9E8A0000-memory.dmp

Filesize
64KB

Download
memory/5024-145-0x000001CC9E8B0000-0x000001CC9E8C0000-memory.dmp

Filesize
64KB

Download
memory/5024-144-0x000001CC9E8A0000-0x000001CC9E8B0000-memory.dmp

Filesize
64KB

Download
memory/5024-143-0x000001CC9D860000-0x000001CC9D870000-memory.dmp

Filesize
64KB

Download
memory/5024-141-0x000001CC9C870000-0x000001CC9C880000-memory.dmp

Filesize
64KB

Download
memory/5024-147-0x000001CA953D0000-0x000001CA953E0000-memory.dmp

Filesize
64KB

Download
memory/5024-148-0x000001CA953B0000-0x000001CA953C0000-memory.dmp

Filesize
64KB

Download
memory/5024-149-0x000001CC5AA90000-0x000001CC5AAB0000-memory.dmp

Filesize
128KB

Download
memory/5024-150-0x000001CC7C4C0000-0x000001CC7C4D0000-memory.dmp

Filesize
64KB

Download
memory/5024-151-0x000001CC7AD40000-0x000001CC7AD50000-memory.dmp

Filesize
64KB

Download
memory/5024-152-0x000001CC7ADB0000-0x000001CC7ADC0000-memory.dmp

Filesize
64KB

Download
memory/5024-153-0x000001CC7B040000-0x000001CC7B050000-memory.dmp

Filesize
64KB

Download
memory/5024-154-0x000001CC9C870000-0x000001CC9C880000-memory.dmp

Filesize
64KB

Download
memory/5024-155-0x000001CC9D850000-0x000001CC9D860000-memory.dmp

Filesize
64KB

Download
memory/5024-156-0x000001CC9E8A0000-0x000001CC9E8B0000-memory.dmp

Filesize
64KB

Download
memory/5024-157-0x000001CC9E8B0000-0x000001CC9E8C0000-memory.dmp

Filesize
64KB

Download
memory/5024-158-0x000001CC9E890000-0x000001CC9E8A0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.