5977442321a693717950365446880058cc2585485ea582daa515719c1c21c5bd

Resubmissions

20/09/2023, 09:14

230920-k7eldafc91 7

20/09/2023, 08:49

230920-krc3lshd26 7

20/09/2023, 08:40

230920-klcvnafb51 7

20/09/2023, 08:23

230920-kakfcshb59 8

Analysis

max time kernel
229s
max time network
191s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
20/09/2023, 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GetSymbol.exe
Size

15.2MB
MD5

d2a00fdf8244d6232dfe32ba46753088
SHA1

43eabf377ef8441669be814ab4d8c78f38213237
SHA256

5977442321a693717950365446880058cc2585485ea582daa515719c1c21c5bd
SHA512

08eaf7045fdfb43aba5bb04d9790dfc556d0a9a8ec32a655ce0d755a0abecb096a11e995d5a62f54cede6319748ddf10af47728bc39b37c8e0ca421e68727087
SSDEEP

196608:J3J30WFK4ZdtZpjyxicqou8ZFaMw6oTEPhFLOyomFHKnP:JZkW/tixicqou8naT6rPhF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4252	symchk.exe
4900	symchk.exe

Loads dropped DLL 12 IoCs

pid	Process
4900	symchk.exe
4900	symchk.exe
4252	symchk.exe
4252	symchk.exe
4900	symchk.exe
4252	symchk.exe
4252	symchk.exe
4252	symchk.exe
4900	symchk.exe
4900	symchk.exe
4252	symchk.exe
4252	symchk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4020	GetSymbol.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4020	GetSymbol.exe
4020	GetSymbol.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 724	4020	GetSymbol.exe	70
PID 4020 wrote to memory of 724	4020	GetSymbol.exe	70
PID 4020 wrote to memory of 4940	4020	GetSymbol.exe	73
PID 4020 wrote to memory of 4940	4020	GetSymbol.exe	73
PID 724 wrote to memory of 4900	724	cmd.exe	75
PID 724 wrote to memory of 4900	724	cmd.exe	75
PID 4940 wrote to memory of 4252	4940	cmd.exe	74
PID 4940 wrote to memory of 4252	4940	cmd.exe	74

C:\Users\Admin\AppData\Local\Temp\GetSymbol.exe
"C:\Users\Admin\AppData\Local\Temp\GetSymbol.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "symchk.exe /r /if "c:\windows\system32\4i7o75wowezfy.exe" /s SRV*"c:\symbols"*http://msdl.microsoft.com/download/symbols > C:\Users\Admin\AppData\Local\Temp\4i7o75wowezfy.exe.log"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Users\Admin\AppData\Local\Temp\symchk.exe
    symchk.exe /r /if "c:\windows\system32\4i7o75wowezfy.exe" /s SRV*"c:\symbols"*http://msdl.microsoft.com/download/symbols
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "symchk.exe /r /if "c:\windows\system32\aadauthhelper.dll" /s SRV*"c:\symbols"*http://msdl.microsoft.com/download/symbols > C:\Users\Admin\AppData\Local\Temp\aadauthhelper.dll.log"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\symchk.exe
    symchk.exe /r /if "c:\windows\system32\aadauthhelper.dll" /s SRV*"c:\symbols"*http://msdl.microsoft.com/download/symbols
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1224

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:2128

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:788
- C:\Windows\System32\4i7o75wowezfy.exe
  C:\Windows\System32\4i7o75wowezfy.exe
  2⤵
  PID:3468

C:\Windows\System32\4i7o75wowezfy.exe
"C:\Windows\System32\4i7o75wowezfy.exe"
1⤵
PID:5104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
24be8a92460b5b7a555b1da559296958

SHA1
94147054e8a04e82fea1c185af30c7c90b194064

SHA256
77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

SHA512
ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
017b99d66393d4c4541a0e0b8d8432ad

SHA1
38c5650ad2b8981423742614eb03ac074917c2ae

SHA256
afe9aa1e55a73d58329baf09efc086fd6a33755b36f0d52b2d2e0e33393852a4

SHA512
b83c6c0cbc3ee1c5ee52fa36ac282673bc91800567b7b65cff2683a433ef693c1f90b815763e5634c3e345b8bd71116054f3b187991bb90d2760b0b838e56403

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
342B

MD5
361554332f9f16499c45c1b463c41be7

SHA1
bd3bc0c4b0d9223767d3e3dd8bd274c10d0606ef

SHA256
6da21078d726a221c6765f45bde347e1a7757578634c20056981fb8f08b032fe

SHA512
bc9696079173ec0c64253e7204de2c44cd5f6e55a1736dfeca2a88469e7cc78fbcbdb60539f305c795fdcdbfbaabbb8593e8ca73268b2eb916abc4393090b3c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
dccf966d9cd1900fe33f1f9a23e192b5

SHA1
bec92e7de5e3db0d06c1703d8126bdd44eb09178

SHA256
655147c8541851e4afe8b6cfb7d95e0a5a32637e5a3d85eca76ba1653b11cfaa

SHA512
f594acf6c581734139a145cd22a32289e83c4465e0857092f19112366599bef726037ad67b481e304683f0125f8bb1cf53e7cc894a445ccedc6e757c8932da78

Download Submit
C:\Users\Admin\AppData\Local\Temp\4i7o75wowezfy.exe.log

Filesize
64B

MD5
300574716be40d84c44b27b56fe212bd

SHA1
61a672c28d972e473700ee015411bba00bf909af

SHA256
dd8bb96dd46c17e6f99d0380310697b3fe464b9e968c16ee00b8fd98bf1e004a

SHA512
a16e9bb4de1d23256be9f839dc1d7823a3f30af63892eb6508e08a2cc985635f8c3a01787f86c8f08d7d3906e2668b0f37fac1c8d2991621dcd5c83ac68d7870

Download Submit
C:\Users\Admin\AppData\Local\Temp\SymbolCheck.dll

Filesize
31KB

MD5
ee5361147e784dda4f1786768dff2b2e

SHA1
1a1ec16de6fd3ab3745c88b73d1fccf438d5443a

SHA256
7fac1225c60dfbe2252234ca3bd74efd689f40792dc6c293710edb29cc2bdb4f

SHA512
1cd30f52c2fcee3df844f28ab607b1f45ee0cb8d41a9bb9650e54e1c500d5b98230b37106a9e36b494ccc76bd11a42f021b9d9183865be87ad4dceca8b3980ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\aadauthhelper.dll.log

Filesize
64B

MD5
300574716be40d84c44b27b56fe212bd

SHA1
61a672c28d972e473700ee015411bba00bf909af

SHA256
dd8bb96dd46c17e6f99d0380310697b3fe464b9e968c16ee00b8fd98bf1e004a

SHA512
a16e9bb4de1d23256be9f839dc1d7823a3f30af63892eb6508e08a2cc985635f8c3a01787f86c8f08d7d3906e2668b0f37fac1c8d2991621dcd5c83ac68d7870

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbgeng.dll

Filesize
7.5MB

MD5
28fb43c45b6a01aa61973995f5152527

SHA1
78fbf5cd50b067b24ba7fa46e3f4558097892bd8

SHA256
779689b113220a4e618f283e305262d208412c2186ec37d3638cd47808b6bb44

SHA512
4a86e231cabe94c1e702af01d471038f684b6beb4ff42ac6de7a70aee2ad36525c46c35f56fcdb36232fe322784b06cbe22b69c9047d9a435880553f44f2a1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.8MB

MD5
a970b7fcc13c18a1998cf65a5b8cb699

SHA1
e4e2c71ed0caac10e4a1555b54c91d03bfda01b7

SHA256
9a02133854ff9f06c3b23a70f8c2a4814b2ed4eef613244b485e3737259ddf9e

SHA512
4dfefd27487f706a5f59181735cdf2f8e80a6b354d756bf198bdc0d0ffb1060d4576ba8bfbcc8f7f5973f106d60e07d31bfb94b3034138bded9f1cbb8c224a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbgmodel.dll

Filesize
711KB

MD5
6b0a3af856358b83808e211c0ce2f24a

SHA1
a7123822c0ed124d0819c91a8edb725eb8c1dba9

SHA256
270fee0dcb8fb0bda15a4dd687e0bc1ef64cfc2c7ba687744eb5d7472281174f

SHA512
4d9739d769cd67ced3059a74f897aa9e3415b86ec3ea04f1b78b9c9ac7ac9e3eb7ff2fcc1ba0611bb3a19038cf32e0f4d22590113239320f8441ea303b1a41a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\symchk.exe

Filesize
73KB

MD5
d08aea07938df399409d5b57aaac448f

SHA1
cf003af2c5c40b2e9d49c508e99e8031c441a4e0

SHA256
d3c551b0d36884346702436aeaf57644767d97b3071d082db3211edca59cffc0

SHA512
9253e7a6d3a0b72373a61c2b44bc4541c9ff3dc55b84acf535ec517ddd600d2c111bd4cc5ed12f8963a5756b38b0287704bc300bd0e0c66f40769256b7e652ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\symchk.exe

Filesize
73KB

MD5
d08aea07938df399409d5b57aaac448f

SHA1
cf003af2c5c40b2e9d49c508e99e8031c441a4e0

SHA256
d3c551b0d36884346702436aeaf57644767d97b3071d082db3211edca59cffc0

SHA512
9253e7a6d3a0b72373a61c2b44bc4541c9ff3dc55b84acf535ec517ddd600d2c111bd4cc5ed12f8963a5756b38b0287704bc300bd0e0c66f40769256b7e652ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
250KB

MD5
265f6f5f18bf4c049875454cdce218f6

SHA1
9c3cfeb5a24a9b2a72b19736bd523b3e31028121

SHA256
db4d9a1a57c38ad2bcf329c58b7f35d8a90e54faf5464e8997bcfb917e21c704

SHA512
6ab0fa48f3c19af5929c5337a745c4f21fcb857396574625832bdd7b6a59b53a445012c8f540e1224f519d5bb085216bd5eea2ef5503ba397bc9c28d48f1fc76

Download Submit
\Users\Admin\AppData\Local\Temp\DbgHelp.dll

Filesize
1.8MB

MD5
a970b7fcc13c18a1998cf65a5b8cb699

SHA1
e4e2c71ed0caac10e4a1555b54c91d03bfda01b7

SHA256
9a02133854ff9f06c3b23a70f8c2a4814b2ed4eef613244b485e3737259ddf9e

SHA512
4dfefd27487f706a5f59181735cdf2f8e80a6b354d756bf198bdc0d0ffb1060d4576ba8bfbcc8f7f5973f106d60e07d31bfb94b3034138bded9f1cbb8c224a46

Download Submit
\Users\Admin\AppData\Local\Temp\DbgHelp.dll

Filesize
1.8MB

MD5
a970b7fcc13c18a1998cf65a5b8cb699

SHA1
e4e2c71ed0caac10e4a1555b54c91d03bfda01b7

SHA256
9a02133854ff9f06c3b23a70f8c2a4814b2ed4eef613244b485e3737259ddf9e

SHA512
4dfefd27487f706a5f59181735cdf2f8e80a6b354d756bf198bdc0d0ffb1060d4576ba8bfbcc8f7f5973f106d60e07d31bfb94b3034138bded9f1cbb8c224a46

Download Submit
\Users\Admin\AppData\Local\Temp\DbgHelp.dll

Filesize
1.8MB

MD5
a970b7fcc13c18a1998cf65a5b8cb699

SHA1
e4e2c71ed0caac10e4a1555b54c91d03bfda01b7

SHA256
9a02133854ff9f06c3b23a70f8c2a4814b2ed4eef613244b485e3737259ddf9e

SHA512
4dfefd27487f706a5f59181735cdf2f8e80a6b354d756bf198bdc0d0ffb1060d4576ba8bfbcc8f7f5973f106d60e07d31bfb94b3034138bded9f1cbb8c224a46

Download Submit
\Users\Admin\AppData\Local\Temp\DbgHelp.dll

Filesize
1.8MB

MD5
a970b7fcc13c18a1998cf65a5b8cb699

SHA1
e4e2c71ed0caac10e4a1555b54c91d03bfda01b7

SHA256
9a02133854ff9f06c3b23a70f8c2a4814b2ed4eef613244b485e3737259ddf9e

SHA512
4dfefd27487f706a5f59181735cdf2f8e80a6b354d756bf198bdc0d0ffb1060d4576ba8bfbcc8f7f5973f106d60e07d31bfb94b3034138bded9f1cbb8c224a46

Download Submit
\Users\Admin\AppData\Local\Temp\DbgModel.dll

Filesize
711KB

MD5
6b0a3af856358b83808e211c0ce2f24a

SHA1
a7123822c0ed124d0819c91a8edb725eb8c1dba9

SHA256
270fee0dcb8fb0bda15a4dd687e0bc1ef64cfc2c7ba687744eb5d7472281174f

SHA512
4d9739d769cd67ced3059a74f897aa9e3415b86ec3ea04f1b78b9c9ac7ac9e3eb7ff2fcc1ba0611bb3a19038cf32e0f4d22590113239320f8441ea303b1a41a0

Download Submit
\Users\Admin\AppData\Local\Temp\DbgModel.dll

Filesize
711KB

MD5
6b0a3af856358b83808e211c0ce2f24a

SHA1
a7123822c0ed124d0819c91a8edb725eb8c1dba9

SHA256
270fee0dcb8fb0bda15a4dd687e0bc1ef64cfc2c7ba687744eb5d7472281174f

SHA512
4d9739d769cd67ced3059a74f897aa9e3415b86ec3ea04f1b78b9c9ac7ac9e3eb7ff2fcc1ba0611bb3a19038cf32e0f4d22590113239320f8441ea303b1a41a0

Download Submit
\Users\Admin\AppData\Local\Temp\SymbolCheck.dll

Filesize
31KB

MD5
ee5361147e784dda4f1786768dff2b2e

SHA1
1a1ec16de6fd3ab3745c88b73d1fccf438d5443a

SHA256
7fac1225c60dfbe2252234ca3bd74efd689f40792dc6c293710edb29cc2bdb4f

SHA512
1cd30f52c2fcee3df844f28ab607b1f45ee0cb8d41a9bb9650e54e1c500d5b98230b37106a9e36b494ccc76bd11a42f021b9d9183865be87ad4dceca8b3980ad

Download Submit
\Users\Admin\AppData\Local\Temp\SymbolCheck.dll

Filesize
31KB

MD5
ee5361147e784dda4f1786768dff2b2e

SHA1
1a1ec16de6fd3ab3745c88b73d1fccf438d5443a

SHA256
7fac1225c60dfbe2252234ca3bd74efd689f40792dc6c293710edb29cc2bdb4f

SHA512
1cd30f52c2fcee3df844f28ab607b1f45ee0cb8d41a9bb9650e54e1c500d5b98230b37106a9e36b494ccc76bd11a42f021b9d9183865be87ad4dceca8b3980ad

Download Submit
\Users\Admin\AppData\Local\Temp\dbgeng.dll

Filesize
7.5MB

MD5
28fb43c45b6a01aa61973995f5152527

SHA1
78fbf5cd50b067b24ba7fa46e3f4558097892bd8

SHA256
779689b113220a4e618f283e305262d208412c2186ec37d3638cd47808b6bb44

SHA512
4a86e231cabe94c1e702af01d471038f684b6beb4ff42ac6de7a70aee2ad36525c46c35f56fcdb36232fe322784b06cbe22b69c9047d9a435880553f44f2a1df

Download Submit
\Users\Admin\AppData\Local\Temp\dbgeng.dll

Filesize
7.5MB

MD5
28fb43c45b6a01aa61973995f5152527

SHA1
78fbf5cd50b067b24ba7fa46e3f4558097892bd8

SHA256
779689b113220a4e618f283e305262d208412c2186ec37d3638cd47808b6bb44

SHA512
4a86e231cabe94c1e702af01d471038f684b6beb4ff42ac6de7a70aee2ad36525c46c35f56fcdb36232fe322784b06cbe22b69c9047d9a435880553f44f2a1df

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
250KB

MD5
265f6f5f18bf4c049875454cdce218f6

SHA1
9c3cfeb5a24a9b2a72b19736bd523b3e31028121

SHA256
db4d9a1a57c38ad2bcf329c58b7f35d8a90e54faf5464e8997bcfb917e21c704

SHA512
6ab0fa48f3c19af5929c5337a745c4f21fcb857396574625832bdd7b6a59b53a445012c8f540e1224f519d5bb085216bd5eea2ef5503ba397bc9c28d48f1fc76

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
250KB

MD5
265f6f5f18bf4c049875454cdce218f6

SHA1
9c3cfeb5a24a9b2a72b19736bd523b3e31028121

SHA256
db4d9a1a57c38ad2bcf329c58b7f35d8a90e54faf5464e8997bcfb917e21c704

SHA512
6ab0fa48f3c19af5929c5337a745c4f21fcb857396574625832bdd7b6a59b53a445012c8f540e1224f519d5bb085216bd5eea2ef5503ba397bc9c28d48f1fc76

Download Submit