cd0772a4089bfa360622ba94a52ccce9ffcf82064aa23862073dad58423cadde

Resubmissions

31-05-2023 15:21

230531-srdyxagb71 5

31-05-2023 14:46

230531-r5g22sfe98 7

Analysis

max time kernel
134s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2023 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mcafe.exe
Size

638KB
MD5

76166c4ad30e3da0060f41fe59e465f1
SHA1

31d887a689a2a6fab9723589bd02d5c15ec09924
SHA256

908d00c0d3a8fe68b7cb0da154143ac81e357b1ca043ff25ac3581d2186defcb
SHA512

e0ed4e2af54add6d449d9b4ac0ac291ed9195a96d55a44c956fd7d32f7144ef432d9da14a5d6ff00fb3e94e79df8a7278338f3c475936b62a5da3848ab538f47
SSDEEP

3072:FgXpJozm2lkCsuYDbM2ZZQ4MGGfviMQYTQbrEQ:IpC62lkCMcGGHikTk

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

Processes:

Mcafe.exe

description	ioc	process
File opened for modification	C:\Windows\system32\XInput9_1_0.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\kernel32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\UxTheme.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\d3d11.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\profapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\wbemcomn.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\UxTheme.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\DLL\psapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\ntdll.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\msvcp_win.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\rpcrt4.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\bcrypt.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\XInput9_1_0.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\iphlpapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\fastprox.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\MMDevAPI.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\msvcp_win.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\winhttp.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\rpcrt4.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\setupapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\cfgmgr32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\kernelbase.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\exe\WindowsPlayer_Master_mono_x64.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\msvcp_win.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\rpcrt4.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\WinTypes.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\dbghelp.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\user32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\crypt32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\CLBCatQ.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\UMPDC.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\ntdll.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\win32u.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\gdi32full.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\ResourcePolicyClient.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\Windows.Storage.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\UnityPlayer_Win64_mono_x64.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\sechost.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\imm32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\crypt32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\WLDP.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\d3d11.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\mono-2.0-bdwgc.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\msvcrt.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\opengl32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\wbemsvc.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\cfgmgr32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\wbemprox.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dbghelp.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\sspicli.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\shell32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\Kernel.Appcore.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\DXCore.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\DLL\audioses.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\advapi32.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\wbemsvc.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\dwmapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dll\msctf.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\CLBCatQ.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\XInput9_1_0.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\symbols\dll\CoreMessaging.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\devobj.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\CoreUIComponents.pdb	Mcafe.exe
File opened for modification	C:\Windows\system32\dwmapi.pdb	Mcafe.exe

Drops file in Windows directory 64 IoCs

Processes:

Mcafe.exe

description	ioc	process
File opened for modification	C:\Windows\dll\Amsi.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\crypt32.pdb	Mcafe.exe
File opened for modification	C:\Windows\DXCore.pdb	Mcafe.exe
File opened for modification	C:\Windows\devobj.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\ws2_32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\UxTheme.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\bcrypt.pdb	Mcafe.exe
File opened for modification	C:\Windows\imm32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\d3d11.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\sechost.pdb	Mcafe.exe
File opened for modification	C:\Windows\ws2_32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\MMDevAPI.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\ucrtbase.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\advapi32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\winhttp.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\wbemcomn.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\TextInputFramework.pdb	Mcafe.exe
File opened for modification	C:\Windows\bcryptprimitives.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\rsaenh.pdb	Mcafe.exe
File opened for modification	C:\Windows\version.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\DLL\psapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\audioses.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\CoreUIComponents.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\msvcp_win.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\Kernel.Appcore.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\d3d10warp.pdb	Mcafe.exe
File opened for modification	C:\Windows\ucrtbase.pdb	Mcafe.exe
File opened for modification	C:\Windows\combase.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\wbemprox.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\wbemcomn.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\WLDP.pdb	Mcafe.exe
File opened for modification	C:\Windows\glu32.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\shcore.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\shell32.pdb	Mcafe.exe
File opened for modification	C:\Windows\DLL\kernel32.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\imm32.pdb	Mcafe.exe
File opened for modification	C:\Windows\opengl32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\Amsi.pdb	Mcafe.exe
File opened for modification	C:\Windows\ResourcePolicyClient.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\ucrtbase.pdb	Mcafe.exe
File opened for modification	C:\Windows\CoreUIComponents.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\kernelbase.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\user32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\crypt32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\DXCore.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\CoreUIComponents.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\DLL\kernel32.pdb	Mcafe.exe
File opened for modification	C:\Windows\user32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\gdi32.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\ole32.pdb	Mcafe.exe
File opened for modification	C:\Windows\rpcrt4.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\cfgmgr32.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\DXCore.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\ntdll.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\oleaut32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\glu32.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\iphlpapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\wbemprox.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\CoreMessaging.pdb	Mcafe.exe
File opened for modification	C:\Windows\ntdll.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\win32u.pdb	Mcafe.exe
File opened for modification	C:\Windows\psapi.pdb	Mcafe.exe
File opened for modification	C:\Windows\symbols\dll\bcrypt.pdb	Mcafe.exe
File opened for modification	C:\Windows\dll\msctf.pdb	Mcafe.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4436 5024 WerFault.exe Mcafe.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 3016 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3016 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Mcafe.exe

pid process

5024 Mcafe.exe

pid	pid_target	process	target process
4436	5024	WerFault.exe	Mcafe.exe

description	pid	process
Token: 33	3016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3016	AUDIODG.EXE

pid	process
5024	Mcafe.exe

C:\Users\Admin\AppData\Local\Temp\Mcafe.exe
"C:\Users\Admin\AppData\Local\Temp\Mcafe.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5024 -s 2480
2⤵
- Program crash
PID:4436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d4 0x2d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 5024 -ip 5024
1⤵
PID:2024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5024-133-0x000001CA953D0000-0x000001CA953E0000-memory.dmp

Filesize
64KB

Download
memory/5024-135-0x000001CC5AA90000-0x000001CC5AAB0000-memory.dmp

Filesize
128KB

Download
memory/5024-134-0x000001CA953B0000-0x000001CA953C0000-memory.dmp

Filesize
64KB

Download
memory/5024-136-0x000001CC7C4C0000-0x000001CC7C4D0000-memory.dmp

Filesize
64KB

Download
memory/5024-137-0x000001CC7AD40000-0x000001CC7AD50000-memory.dmp

Filesize
64KB

Download
memory/5024-138-0x000001CC7AD50000-0x000001CC7AD60000-memory.dmp

Filesize
64KB

Download
memory/5024-139-0x000001CC7ADB0000-0x000001CC7ADC0000-memory.dmp

Filesize
64KB

Download
memory/5024-140-0x000001CC7B040000-0x000001CC7B050000-memory.dmp

Filesize
64KB

Download
memory/5024-142-0x000001CC9D850000-0x000001CC9D860000-memory.dmp

Filesize
64KB

Download
memory/5024-146-0x000001CC9E890000-0x000001CC9E8A0000-memory.dmp

Filesize
64KB

Download
memory/5024-145-0x000001CC9E8B0000-0x000001CC9E8C0000-memory.dmp

Filesize
64KB

Download
memory/5024-144-0x000001CC9E8A0000-0x000001CC9E8B0000-memory.dmp

Filesize
64KB

Download
memory/5024-143-0x000001CC9D860000-0x000001CC9D870000-memory.dmp

Filesize
64KB

Download
memory/5024-141-0x000001CC9C870000-0x000001CC9C880000-memory.dmp

Filesize
64KB

Download
memory/5024-147-0x000001CA953D0000-0x000001CA953E0000-memory.dmp

Filesize
64KB

Download
memory/5024-148-0x000001CA953B0000-0x000001CA953C0000-memory.dmp

Filesize
64KB

Download
memory/5024-149-0x000001CC5AA90000-0x000001CC5AAB0000-memory.dmp

Filesize
128KB

Download
memory/5024-150-0x000001CC7C4C0000-0x000001CC7C4D0000-memory.dmp

Filesize
64KB

Download
memory/5024-151-0x000001CC7AD40000-0x000001CC7AD50000-memory.dmp

Filesize
64KB

Download
memory/5024-152-0x000001CC7ADB0000-0x000001CC7ADC0000-memory.dmp

Filesize
64KB

Download
memory/5024-153-0x000001CC7B040000-0x000001CC7B050000-memory.dmp

Filesize
64KB

Download
memory/5024-154-0x000001CC9C870000-0x000001CC9C880000-memory.dmp

Filesize
64KB

Download
memory/5024-155-0x000001CC9D850000-0x000001CC9D860000-memory.dmp

Filesize
64KB

Download
memory/5024-156-0x000001CC9E8A0000-0x000001CC9E8B0000-memory.dmp

Filesize
64KB

Download
memory/5024-157-0x000001CC9E8B0000-0x000001CC9E8C0000-memory.dmp

Filesize
64KB

Download
memory/5024-158-0x000001CC9E890000-0x000001CC9E8A0000-memory.dmp

Filesize
64KB

Download