85ab31c1d2cf82b72a279ad7ba5b24dac3eadcd91af9ee9e677dbe188cd9f801

Resubmissions

11-07-2023 09:24

230711-lc9zgaga52 7

10-07-2023 14:46

230710-r5d1dsbc92 7

Analysis

max time kernel
61s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11-07-2023 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

testfile.exe
Size

81.0MB
MD5

287a950b38c3e48e84553ca80cd0aba1
SHA1

c1f8f40fc2fbd43897931fb029cf2de81c9048f0
SHA256

85ab31c1d2cf82b72a279ad7ba5b24dac3eadcd91af9ee9e677dbe188cd9f801
SHA512

ad3331752540718b77899ca7d1bb842895302bbc22d84fd238f92314e51844de34de3d43f97935019356498f16d15777a80f0de0074b784ffb8ac5a71b45744e
SSDEEP

1572864:dqEUklqnfnDyj2EWTxFRcnUa5/8+G0dsFfZwoss6ei:kEUk+fDKWTxncnl5tsFfZwostV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

leading.exe

pid process

1748 leading.exe
Loads dropped DLL 2 IoCs

Processes:

testfile.exeleading.exe

pid process

1620 testfile.exe
1748 leading.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1748	leading.exe

pid	process
1620	testfile.exe
1748	leading.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1324	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1324	AUDIODG.EXE
Token: 33	1324	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1324	AUDIODG.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

testfile.exe

description	pid	process	target process
PID 1620 wrote to memory of 1748	1620	testfile.exe	leading.exe
PID 1620 wrote to memory of 1748	1620	testfile.exe	leading.exe
PID 1620 wrote to memory of 1748	1620	testfile.exe	leading.exe
PID 1620 wrote to memory of 1748	1620	testfile.exe	leading.exe

C:\Users\Admin\AppData\Local\Temp\testfile.exe
"C:\Users\Admin\AppData\Local\Temp\testfile.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\leading.exe
"C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\leading.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\leading.exe
Filesize
2.4MB

MD5
0262b8204546ab726b863ddd4950c01e

SHA1
ae985bf18df5c6e90e450b37ad905666d36ffac3

SHA256
b6e493c92ab21d3cffc5efda72a0afcee29e817e87256ae754aecfe9a1b421ea

SHA512
8f49e6058d3aafa87a5f75529e23dc496ea6a56408fd3d375987cd544b332da20a95c41460a4a71351e8ac6c0fde804f0f60fb66c4b356f6bacf4dfd100b923d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\leading.exe
Filesize
2.4MB

MD5
0262b8204546ab726b863ddd4950c01e

SHA1
ae985bf18df5c6e90e450b37ad905666d36ffac3

SHA256
b6e493c92ab21d3cffc5efda72a0afcee29e817e87256ae754aecfe9a1b421ea

SHA512
8f49e6058d3aafa87a5f75529e23dc496ea6a56408fd3d375987cd544b332da20a95c41460a4a71351e8ac6c0fde804f0f60fb66c4b356f6bacf4dfd100b923d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\locales\ar-XB.pak.info
Filesize
858KB

MD5
99fdbd0a8d3e2f81c7dcbc5d58f2290a

SHA1
427cf8f04ab3971549fa6088673cce0c891bdbfd

SHA256
06b0e6d5e613dca6b5b764f70dffb04279638c51238cb53c990863088dd56fe6

SHA512
52ae660c7d3181e3e62788b8cb62c690d39ded93e2878afaae4b6484f81beb2d4d4d2da65a1c000f614d527183952777351bbe06b7b4cd2b92be4051e7cb6c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\nw_elf.dll
Filesize
1.0MB

MD5
10c43dddda567948b2f7377db36374e7

SHA1
bf1ddc58a8f050a6de18b51d1f9bb0f159cd098a

SHA256
f75c76ff8766c993c1d5fac647f94d17c622d9d9462fd590ae37997f507bbc82

SHA512
617cbaf731f0dfa3e8a5cb1ffbbcc49780e33f685573687d07bd1674ef659b4cfd25a8c10702fc81b531e84d1ad5f5d6aaa2c79866fb6016d45c83a5df55c361

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2231.tmp\leading.exe
Filesize
2.4MB

MD5
0262b8204546ab726b863ddd4950c01e

SHA1
ae985bf18df5c6e90e450b37ad905666d36ffac3

SHA256
b6e493c92ab21d3cffc5efda72a0afcee29e817e87256ae754aecfe9a1b421ea

SHA512
8f49e6058d3aafa87a5f75529e23dc496ea6a56408fd3d375987cd544b332da20a95c41460a4a71351e8ac6c0fde804f0f60fb66c4b356f6bacf4dfd100b923d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2231.tmp\nw_elf.dll
Filesize
1.0MB

MD5
10c43dddda567948b2f7377db36374e7

SHA1
bf1ddc58a8f050a6de18b51d1f9bb0f159cd098a

SHA256
f75c76ff8766c993c1d5fac647f94d17c622d9d9462fd590ae37997f507bbc82

SHA512
617cbaf731f0dfa3e8a5cb1ffbbcc49780e33f685573687d07bd1674ef659b4cfd25a8c10702fc81b531e84d1ad5f5d6aaa2c79866fb6016d45c83a5df55c361

Download Submit