Analysis
-
max time kernel
61s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
11-07-2023 09:24
Static task
static1
Behavioral task
behavioral1
Sample
testfile.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
testfile.exe
Resource
win10v2004-20230703-en
General
-
Target
testfile.exe
-
Size
81.0MB
-
MD5
287a950b38c3e48e84553ca80cd0aba1
-
SHA1
c1f8f40fc2fbd43897931fb029cf2de81c9048f0
-
SHA256
85ab31c1d2cf82b72a279ad7ba5b24dac3eadcd91af9ee9e677dbe188cd9f801
-
SHA512
ad3331752540718b77899ca7d1bb842895302bbc22d84fd238f92314e51844de34de3d43f97935019356498f16d15777a80f0de0074b784ffb8ac5a71b45744e
-
SSDEEP
1572864:dqEUklqnfnDyj2EWTxFRcnUa5/8+G0dsFfZwoss6ei:kEUk+fDKWTxncnl5tsFfZwostV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
leading.exepid process 1748 leading.exe -
Loads dropped DLL 2 IoCs
Processes:
testfile.exeleading.exepid process 1620 testfile.exe 1748 leading.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1324 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1324 AUDIODG.EXE Token: 33 1324 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1324 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
testfile.exedescription pid process target process PID 1620 wrote to memory of 1748 1620 testfile.exe leading.exe PID 1620 wrote to memory of 1748 1620 testfile.exe leading.exe PID 1620 wrote to memory of 1748 1620 testfile.exe leading.exe PID 1620 wrote to memory of 1748 1620 testfile.exe leading.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\testfile.exe"C:\Users\Admin\AppData\Local\Temp\testfile.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\leading.exe"C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\leading.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\leading.exeFilesize
2.4MB
MD50262b8204546ab726b863ddd4950c01e
SHA1ae985bf18df5c6e90e450b37ad905666d36ffac3
SHA256b6e493c92ab21d3cffc5efda72a0afcee29e817e87256ae754aecfe9a1b421ea
SHA5128f49e6058d3aafa87a5f75529e23dc496ea6a56408fd3d375987cd544b332da20a95c41460a4a71351e8ac6c0fde804f0f60fb66c4b356f6bacf4dfd100b923d
-
C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\leading.exeFilesize
2.4MB
MD50262b8204546ab726b863ddd4950c01e
SHA1ae985bf18df5c6e90e450b37ad905666d36ffac3
SHA256b6e493c92ab21d3cffc5efda72a0afcee29e817e87256ae754aecfe9a1b421ea
SHA5128f49e6058d3aafa87a5f75529e23dc496ea6a56408fd3d375987cd544b332da20a95c41460a4a71351e8ac6c0fde804f0f60fb66c4b356f6bacf4dfd100b923d
-
C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\locales\ar-XB.pak.infoFilesize
858KB
MD599fdbd0a8d3e2f81c7dcbc5d58f2290a
SHA1427cf8f04ab3971549fa6088673cce0c891bdbfd
SHA25606b0e6d5e613dca6b5b764f70dffb04279638c51238cb53c990863088dd56fe6
SHA51252ae660c7d3181e3e62788b8cb62c690d39ded93e2878afaae4b6484f81beb2d4d4d2da65a1c000f614d527183952777351bbe06b7b4cd2b92be4051e7cb6c10
-
C:\Users\Admin\AppData\Local\Temp\7zS2231.tmp\nw_elf.dllFilesize
1.0MB
MD510c43dddda567948b2f7377db36374e7
SHA1bf1ddc58a8f050a6de18b51d1f9bb0f159cd098a
SHA256f75c76ff8766c993c1d5fac647f94d17c622d9d9462fd590ae37997f507bbc82
SHA512617cbaf731f0dfa3e8a5cb1ffbbcc49780e33f685573687d07bd1674ef659b4cfd25a8c10702fc81b531e84d1ad5f5d6aaa2c79866fb6016d45c83a5df55c361
-
\Users\Admin\AppData\Local\Temp\7zS2231.tmp\leading.exeFilesize
2.4MB
MD50262b8204546ab726b863ddd4950c01e
SHA1ae985bf18df5c6e90e450b37ad905666d36ffac3
SHA256b6e493c92ab21d3cffc5efda72a0afcee29e817e87256ae754aecfe9a1b421ea
SHA5128f49e6058d3aafa87a5f75529e23dc496ea6a56408fd3d375987cd544b332da20a95c41460a4a71351e8ac6c0fde804f0f60fb66c4b356f6bacf4dfd100b923d
-
\Users\Admin\AppData\Local\Temp\7zS2231.tmp\nw_elf.dllFilesize
1.0MB
MD510c43dddda567948b2f7377db36374e7
SHA1bf1ddc58a8f050a6de18b51d1f9bb0f159cd098a
SHA256f75c76ff8766c993c1d5fac647f94d17c622d9d9462fd590ae37997f507bbc82
SHA512617cbaf731f0dfa3e8a5cb1ffbbcc49780e33f685573687d07bd1674ef659b4cfd25a8c10702fc81b531e84d1ad5f5d6aaa2c79866fb6016d45c83a5df55c361