Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2023, 06:38

General

  • Target

    936-506-0x0000000000400000-0x0000000000477000-memory.exe

  • Size

    476KB

  • MD5

    f4660cfd074a331031e9fb6718d733e3

  • SHA1

    fdb9971f56a36e1945eb1df7cf76646347673568

  • SHA256

    856ef00b309506f974d75cd7a1354d2009e36c75fd30264c3507ba805ec7b173

  • SHA512

    0de8ac466fdeb1ceb6598bd0bd9dda9187538418595243e91d4726d0567dec35f665b6e04592cf853d979a41558a99cb3a0c0cc5968159ee9ceba1bd7eb8651c

  • SSDEEP

    12288:o4wcFv6y7kax04kbW/lE+mYBEXqUvAq521OjYKkJj6GmZU:ic5hkipmYBEXV4QYb6nZ

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe
    "C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:484
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    PID:3508
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:1764
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3616

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\wsuA75C.tmp

      Filesize

      14KB

      MD5

      c01eaa0bdcd7c30a42bbb35a9acbf574

      SHA1

      0aee3e1b873e41d040f1991819d0027b6cc68f54

      SHA256

      32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

      SHA512

      d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

      Filesize

      29KB

      MD5

      a37a38eddf59c6ce17db1cb073b5293f

      SHA1

      86c8d5ec01ab3eeba6dfd7fa020e22cfe114e5ba

      SHA256

      3390dc23230ff084077a447cb524827ee053e485ba35f5db470cecbf62e0f7df

      SHA512

      c8afda83a48f21cf8ed249da4dad4365db6cf246afa80eec79ce0418289204cc9f768bbd734a1e2ac69003b412f633094bea2f268dbf4467c2af2c301440a816

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

      Filesize

      29KB

      MD5

      9b6102abd8c38f791f0517bad60306eb

      SHA1

      dd3a5d06dc30f343b8da39e754cc9fc1235f5ec6

      SHA256

      a99b3b7bde22c685295a450d8cc3b4f5f6a767af2f93c9782f9b4b9f9af29316

      SHA512

      18dce146d7e2a36bbbb2a6fc4c5ffb3e645ceeb2f4e58734e1b680c4f89a41b3203845e36f4da03d5112063b523be59ee98213b390f329165dd477aebdeed051

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

      Filesize

      29KB

      MD5

      77426eebc0801c4e5ba8051f23fd497f

      SHA1

      c6097919a73afa4f2cd46d9fca1a5bb806315c9d

      SHA256

      3c73b74f0e73bcd5777186eaa9bb1b5f081f3d849202d5603fe398053f348fcc

      SHA512

      0ea92e2cc42c458265a7e94468eb5b6cd13f2f7d98ca69a0bbabd5c817ba604a4a4fbf11e61ec27a394f9a4fc08d0dcf2c21cf236797f60c7acb834f2852c283

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

      Filesize

      29KB

      MD5

      6e95823fdf5aa50e1e65b23f74a3bbed

      SHA1

      f100fbc86c1cff86ac3283edf127e2b1f03f3920

      SHA256

      ad34a1a08bc40a234728fef3b2e113a9f101e96f03f0b94934d5d4f511bb1172

      SHA512

      afac560f387dd9dfb8a220f8b2038f1fab2bb75453fd63cb901b6bb7c91ddaa02655c92bff7bdaa43090e6eb3d44a38dc77e1339f9dfe752f2813d5c1cf08a20

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

      Filesize

      29KB

      MD5

      f6a70cebf35fca256c80056c3b766c86

      SHA1

      43848e03e1b70efd07cb574c8bed3d453021e6c4

      SHA256

      84487dc415fbe3a5bfd7cbda31091c6358eef3ff24f401a2ca7083c5ffd55c7d

      SHA512

      ec2432afc4cc445b2a86deb8b835c844adb950b85a30511150c30fde34e2ba393fe44c2fee2e7bb7fc37f733cbea10a52c12cbe341d1589a023bb50de414d7b3

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

      Filesize

      29KB

      MD5

      5c76878e092092d12763e75c7794a795

      SHA1

      80a6d01b96ecf6cf54b631df986c9824d42ce891

      SHA256

      9d07631f9cd34b1f41c12c27e0c67415e3447dc0dd266616280f2a272e140206

      SHA512

      218f7404f3980bc03aa1ae791b686fcb088f9f061665046bd07d2dc111977b4902a8e25e4c9cacad0f93a93606c032b728e3262613a727313f1e58cf1388cd67

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

      Filesize

      29KB

      MD5

      363d36de5e210cba712906de9a45f1bd

      SHA1

      94ad919309090a6108256f8b67af9d7f80e87f32

      SHA256

      5313f503a3f15ae393d57ee3b4d29cd642009afe9eb16f16e79982c86c5d9697

      SHA512

      c1f4b9695cf76fdb07eebd54c58046f2221f50f416917934b3c24efd56328defaf549ee77671310604d0a83a0303e2fecd5b9b1f592d8a6c0ab4b25ea15bea6c

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

      Filesize

      29KB

      MD5

      4fe3a64fdd3f2c670031284b56cc14be

      SHA1

      eeb30e34c3ba51eb5a41677a61e1cf82eb79fbc4

      SHA256

      5a02a3009b0b60327fd7494a37326ee894c0d31a3274041967232a4536ac2989

      SHA512

      81f032d81109b80f90664ca43b988c40d99bedf2856e54d4615043b025c24acb9d133e45399bed4c45ebfd720294c0f5eb64fb7c57c5cbae4fb5a5062b015377

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

      Filesize

      29KB

      MD5

      df872d21b1c76b7c19f34e7284d67cd4

      SHA1

      954b373eaaa851b384536d49ab714766855d07c8

      SHA256

      d20b91a4e62dedb37f55b7a1a31e5e54dc2a3baec0668194861dcc129bc8768a

      SHA512

      8f979c2383dc120d5c0e20842dd037fcb5ca5fea806ed682a30e70cbb42ca0613d34f5ef2d4bccef593215c384145e32be3e87466db75a5924a5807e645cbc57

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

      Filesize

      29KB

      MD5

      36269a8e7b9e17f6c9dd15b5974a4e23

      SHA1

      08c1eacc4454ab456816eb1fd86bd8bd9c4ca8a1

      SHA256

      94dc365928ff90b1d4156ffd6c3b1f1acbff425cab077e9d0a3904a7a225d732

      SHA512

      f8b975e92d18e6316362fc5d69057c8b32eb148922f207e31d11cf9023b5aa8e5de8d14e98c740cc64a293164a333828ef1ab962c47153181c587b304b712a5a

    • memory/3616-545-0x00000256C9340000-0x00000256C9350000-memory.dmp

      Filesize

      64KB

    • memory/3616-564-0x00000256C9440000-0x00000256C9450000-memory.dmp

      Filesize

      64KB

    • memory/3616-580-0x00000256D17A0000-0x00000256D17A1000-memory.dmp

      Filesize

      4KB

    • memory/3616-582-0x00000256D17D0000-0x00000256D17D1000-memory.dmp

      Filesize

      4KB

    • memory/3616-583-0x00000256D17D0000-0x00000256D17D1000-memory.dmp

      Filesize

      4KB

    • memory/3616-584-0x00000256D18E0000-0x00000256D18E1000-memory.dmp

      Filesize

      4KB