ddaf7103efc84cb134bee71c72019484a149adfdb7e6af9e3f08eebfe0e5a2d5

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2023, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71a62824398aa99ae4dfe1204cc2858f.exe
Size

282KB
MD5

71a62824398aa99ae4dfe1204cc2858f
SHA1

72ec290c7b9a52371a4f2ce9257b5b0c82ddd04c
SHA256

ddaf7103efc84cb134bee71c72019484a149adfdb7e6af9e3f08eebfe0e5a2d5
SHA512

9277536c9e15bc1697ae52ad8c7b52f8e1c7d22855065e3d3a192d5cb6ef115e1a53b25cd1c2d8ec9e5255d8c3b391efec77535c9acf10c15e267f4b286dbc6a
SSDEEP

6144:bV+4tt25MIRakGNhYPu2p3QPtCndoSgdeUDm:325MIkkGNwPWPtCf8et

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 508	1500	71a62824398aa99ae4dfe1204cc2858f.exe	85
PID 508 set thread context of 3148	508	MSBuild.exe	39
PID 508 set thread context of 3148	508	MSBuild.exe	39
PID 508 set thread context of 3224	508	MSBuild.exe	91
PID 3224 set thread context of 3148	3224	help.exe	39

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3148	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
3224	help.exe
3224	help.exe
3224	help.exe
3224	help.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	71a62824398aa99ae4dfe1204cc2858f.exe
Token: SeDebugPrivilege	508	MSBuild.exe
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeDebugPrivilege	3224	help.exe
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3148	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 508	1500	71a62824398aa99ae4dfe1204cc2858f.exe	85
PID 1500 wrote to memory of 508	1500	71a62824398aa99ae4dfe1204cc2858f.exe	85
PID 1500 wrote to memory of 508	1500	71a62824398aa99ae4dfe1204cc2858f.exe	85
PID 1500 wrote to memory of 508	1500	71a62824398aa99ae4dfe1204cc2858f.exe	85
PID 1500 wrote to memory of 508	1500	71a62824398aa99ae4dfe1204cc2858f.exe	85
PID 1500 wrote to memory of 508	1500	71a62824398aa99ae4dfe1204cc2858f.exe	85
PID 508 wrote to memory of 3224	508	MSBuild.exe	91
PID 508 wrote to memory of 3224	508	MSBuild.exe	91
PID 508 wrote to memory of 3224	508	MSBuild.exe	91
PID 3224 wrote to memory of 4016	3224	help.exe	92
PID 3224 wrote to memory of 4016	3224	help.exe	92
PID 3224 wrote to memory of 4016	3224	help.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3148
- C:\Users\Admin\AppData\Local\Temp\71a62824398aa99ae4dfe1204cc2858f.exe
  "C:\Users\Admin\AppData\Local\Temp\71a62824398aa99ae4dfe1204cc2858f.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:508
  - - C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      4⤵
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Program Files\Mozilla Firefox\Firefox.exe
        
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        5⤵
        
        PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/508-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/508-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/508-13-0x0000000001040000-0x000000000138A000-memory.dmp

Filesize
3.3MB

Download
memory/508-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/508-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/508-23-0x0000000005440000-0x0000000005466000-memory.dmp

Filesize
152KB

Download
memory/508-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/508-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/508-20-0x0000000001F50000-0x0000000001F76000-memory.dmp

Filesize
152KB

Download
memory/508-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/508-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/508-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/508-17-0x0000000001F50000-0x0000000001F76000-memory.dmp

Filesize
152KB

Download
memory/1500-6-0x000001C595670000-0x000001C595680000-memory.dmp

Filesize
64KB

Download
memory/1500-11-0x00007FF92F220000-0x00007FF92FCE1000-memory.dmp

Filesize
10.8MB

Download
memory/1500-12-0x00007FF930F60000-0x00007FF931901000-memory.dmp

Filesize
9.6MB

Download
memory/1500-5-0x000001C595670000-0x000001C595680000-memory.dmp

Filesize
64KB

Download
memory/1500-4-0x00007FF92F220000-0x00007FF92FCE1000-memory.dmp

Filesize
10.8MB

Download
memory/1500-3-0x00007FF930F60000-0x00007FF931901000-memory.dmp

Filesize
9.6MB

Download
memory/1500-2-0x000001C595860000-0x000001C59586A000-memory.dmp

Filesize
40KB

Download
memory/1500-1-0x00007FF930F60000-0x00007FF931901000-memory.dmp

Filesize
9.6MB

Download
memory/1500-0-0x000001C5956E0000-0x000001C5956F6000-memory.dmp

Filesize
88KB

Download
memory/3148-52-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-89-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-27-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-28-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/3148-30-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-32-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-34-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-36-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-37-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-38-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-40-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-42-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-44-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/3148-46-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-45-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/3148-43-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-48-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-47-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-50-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-49-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-51-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/3148-53-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-24-0x000000000CAC0000-0x000000000E655000-memory.dmp

Filesize
27.6MB

Download
memory/3148-56-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-55-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-57-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/3148-110-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-108-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-18-0x000000000BDC0000-0x000000000C6FE000-memory.dmp

Filesize
9.2MB

Download
memory/3148-61-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/3148-106-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-63-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/3148-105-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/3148-64-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/3148-104-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-67-0x00000000084B0000-0x00000000085CA000-memory.dmp

Filesize
1.1MB

Download
memory/3148-68-0x00000000084B0000-0x00000000085CA000-memory.dmp

Filesize
1.1MB

Download
memory/3148-102-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-103-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-72-0x00000000084B0000-0x00000000085CA000-memory.dmp

Filesize
1.1MB

Download
memory/3148-78-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-79-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-80-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/3148-81-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-82-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-83-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-84-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-85-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-87-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-25-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-90-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-91-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/3148-92-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-93-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-94-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/3148-97-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-95-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-101-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-99-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/3148-98-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3224-70-0x0000000000D60000-0x0000000000E05000-memory.dmp

Filesize
660KB

Download
memory/3224-69-0x0000000000800000-0x0000000000836000-memory.dmp

Filesize
216KB

Download
memory/3224-66-0x0000000000D60000-0x0000000000E05000-memory.dmp

Filesize
660KB

Download
memory/3224-65-0x0000000000800000-0x0000000000836000-memory.dmp

Filesize
216KB

Download
memory/3224-62-0x0000000000E20000-0x000000000116A000-memory.dmp

Filesize
3.3MB

Download
memory/3224-59-0x0000000000800000-0x0000000000836000-memory.dmp

Filesize
216KB

Download
memory/3224-58-0x0000000000800000-0x0000000000836000-memory.dmp

Filesize
216KB

Download