7dbc46f64248c54bba49b70c723f5dbf04058c3dc195dc1e142c36bf8b5675f9

Resubmissions

06/07/2023, 12:57

230706-p6wkqacd6t 3

06/07/2023, 12:52

230706-p4ffqabb37 3

Analysis

max time kernel
140s
max time network
134s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 12:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fcace809a9425f599f98037296b2a1cb7689bf3df40994205147b053b317fca4.exe
Size

232KB
MD5

34fd848f1ac40ecf35590b053cbb8257
SHA1

9ddc927e109a3159635bc77151942184cc1abb2e
SHA256

fcace809a9425f599f98037296b2a1cb7689bf3df40994205147b053b317fca4
SHA512

2cdfc63d5d9a337193a4640ddb8d438d53259253b0c7dd7fed4f4f751c79a18606f1c15a75fbc954699c95d2decf9478da7234b21d9e35d8d7ab51946ee78d69
SSDEEP

6144:6v5z1JO92UbEJoa5DdnMPSvr2gSjrMjZOjH:am5soazMqvrHSq8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	428	AUDIODG.EXE
Token: 33	428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	428	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 576	2696	control.exe	35
PID 2696 wrote to memory of 576	2696	control.exe	35
PID 2696 wrote to memory of 576	2696	control.exe	35

C:\Users\Admin\AppData\Local\Temp\fcace809a9425f599f98037296b2a1cb7689bf3df40994205147b053b317fca4.exe
"C:\Users\Admin\AppData\Local\Temp\fcace809a9425f599f98037296b2a1cb7689bf3df40994205147b053b317fca4.exe"
1⤵
PID:2380

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:544

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" /name Microsoft.Sound /page 2
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\mmsys.cpl ,2
  2⤵
  PID:576

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-55-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/2380-54-0x00000000003C0000-0x0000000000440000-memory.dmp

Filesize
512KB

Download