e44253c39391bb28f346dd98d874e4587a34ecec25cc920ddcf60751cd1bfdc4

Analysis

max time kernel
126s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11832aaaea01ab2ab4f4bbef2792335a.exe
Size

4.5MB
MD5

11832aaaea01ab2ab4f4bbef2792335a
SHA1

b086b6796613307e4fc109f224eb9f3550e0d3b4
SHA256

e44253c39391bb28f346dd98d874e4587a34ecec25cc920ddcf60751cd1bfdc4
SHA512

76c967665ccf20bcdeda6ffab8e0f29929605c3b9e80bb24f9c25f38f3c1674932e65afba486499aac2bce8cb871bfa8a6cd56ee9e78887ac8cd113a39d50286
SSDEEP

98304:5MGf2jqPwejTT9k7lw3lgIJm1PBMckd00ZTz+LX2yC0DX:Ff2jqBTG7lw36r1PSna0ZiXD7

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2360	_6A67.tmpac7d.exe
1768	AntiVirus AntiSpyware.exe
2052	securitymanager.exe

Loads dropped DLL 9 IoCs

pid	Process
2132	11832aaaea01ab2ab4f4bbef2792335a.exe
2132	11832aaaea01ab2ab4f4bbef2792335a.exe
2132	11832aaaea01ab2ab4f4bbef2792335a.exe
2132	11832aaaea01ab2ab4f4bbef2792335a.exe
2132	11832aaaea01ab2ab4f4bbef2792335a.exe
2132	11832aaaea01ab2ab4f4bbef2792335a.exe
2132	11832aaaea01ab2ab4f4bbef2792335a.exe
2132	11832aaaea01ab2ab4f4bbef2792335a.exe
2132	11832aaaea01ab2ab4f4bbef2792335a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus_AntiSpyware_2011 = "\"C:\\Users\\Admin\\AppData\\Roaming\\AntiVirus_AntiSpyware_2011\\AntiVirus AntiSpyware.exe\" /STARTUP"	11832aaaea01ab2ab4f4bbef2792335a.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.log	securitymanager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	11832aaaea01ab2ab4f4bbef2792335a.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2052	securitymanager.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2052	securitymanager.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2132	11832aaaea01ab2ab4f4bbef2792335a.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2360	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	28
PID 2132 wrote to memory of 2360	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	28
PID 2132 wrote to memory of 2360	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	28
PID 2132 wrote to memory of 2360	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	28
PID 2132 wrote to memory of 1768	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	33
PID 2132 wrote to memory of 1768	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	33
PID 2132 wrote to memory of 1768	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	33
PID 2132 wrote to memory of 1768	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	33
PID 2132 wrote to memory of 2052	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	34
PID 2132 wrote to memory of 2052	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	34
PID 2132 wrote to memory of 2052	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	34
PID 2132 wrote to memory of 2052	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	34
PID 2132 wrote to memory of 2432	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	35
PID 2132 wrote to memory of 2432	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	35
PID 2132 wrote to memory of 2432	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	35
PID 2132 wrote to memory of 2432	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	35
PID 2132 wrote to memory of 2168	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	37
PID 2132 wrote to memory of 2168	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	37
PID 2132 wrote to memory of 2168	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	37
PID 2132 wrote to memory of 2168	2132	11832aaaea01ab2ab4f4bbef2792335a.exe	37

C:\Users\Admin\AppData\Local\Temp\11832aaaea01ab2ab4f4bbef2792335a.exe
"C:\Users\Admin\AppData\Local\Temp\11832aaaea01ab2ab4f4bbef2792335a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\_6A67.tmpac7d.exe
  "C:\Users\Admin\AppData\Local\Temp\_6A67.tmpac7d.exe" -p"09:16 AM" -y -o"C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe
  "C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\securitymanager.exe
  "C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\securitymanager.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming"
  2⤵
  PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011"
  2⤵
  PID:2168

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x580
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_6A67.tmpac7d.exe

Filesize
393KB

MD5
bddcc703779552aa850565fdd7e13488

SHA1
8243974e1ec1b33390968b1ae83a5dba9af872a3

SHA256
5bc81dda1ea83fcc8fb17731cd64b9b921a4260b6b81020747a35b472e97f322

SHA512
48a8a1a5affeec57b727cc2dde1bd65c730b5b18e25d32c3378a847829cb5ba915a1f80ad77142b9ef5caeafc1333f47379ecd90ed99ef8d6d97dcea83124744

Download Submit
C:\Users\Admin\AppData\Local\Temp\_6A67.tmpac7d.exe

Filesize
323KB

MD5
98f7fc009071f857ee39e4c39981736e

SHA1
19f976593ae1786183e1ef3064e00c3dc209a76b

SHA256
6cc8c635f1a10f1bdefec7c34e3d5e86643c1bacd4ac2227d5a51f0cd0c04fd0

SHA512
5945ce0152a6a2ccfb83150a1735195becb028c64a8ebf2746eacb8b5e7b459c7a2b95769cdbd00f9a57009af9e5ba17c1a596a94e67503d54212f5248880897

Download Submit
C:\Users\Admin\AppData\Local\Temp\_6A67.tmpac7d.exe

Filesize
288KB

MD5
6901589a22dafc14a0c41c8a7a0be5ee

SHA1
287408976a14f96f0c869756ace2fad81fae8821

SHA256
18a71b3f5ee0ec2c92cf0abc557bb8e4e2920eae24aab253cc310269d695acb8

SHA512
d21e2dcb28104f19cdb13214a8bc0b3b7082a0070fdc1da6f751f0e2d328c4c199e15a61b0a4c6c5890d69a535771116a07baac424ac3d9a0693684f924b225e

Download Submit
C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe

Filesize
147KB

MD5
9aea7a2e9abac4d994760380b2e7337a

SHA1
12314c9e761e662646f2819344ad8e7d54ac6056

SHA256
76f300fedb6f4b6a734006ee223ac18f391e8773e15a7b80c63e6ff838f5180f

SHA512
4040d69ba0a2b27b81d23477ede53a4e482e3e829b59f8404eaa098b30e49c0479ce7a01f4df0c9c8d69c6fb0f3c377717e14e7fe78c2fca3ae9118b21dc4090

Download Submit
C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe

Filesize
192KB

MD5
86d94d230d28f7e8e5fe0865066b8c3a

SHA1
1077dbbc6b57820f8adbc2bb4b7f07c5c2d78e39

SHA256
2916930ffd9333663afe5e96ea2738a58f16fd98b2c9d70e00a85b00aceda45a

SHA512
f2f32aedbed316b98a4a31a2c5bfcff7891b67cf1fad56bba576e54df3f34d9346bd2e45f1ad553472b19a44623e427b8d9f1bd03788cb5d27413138e3f54c86

Download Submit
C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\securitymanager.exe

Filesize
194KB

MD5
4b4f092ebd995ac728b2e58765c17cc2

SHA1
d73c2b30b42ce5ac531e4af249d9d10febd940f8

SHA256
40f249e1ce12b2872d82e49efcf3a02f0e51adb1552255decab8b7dec309e31b

SHA512
1634b2b403ecf9059464e8e357e69dbbad40a98d16819032a387f90c0f7f0907d126302ed00a1d478ce40ee55e994551f1030c2c57e3c8e61b827222f86a6544

Download Submit
C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\securitymanager.exe

Filesize
18KB

MD5
45e9437e631d4199c44dae384ae4cf91

SHA1
b831a33cbd619d72d767b27a817db9c45435222c

SHA256
070ccef9df4e2f794938ccd960e5563538b3da998a167b98b7f5fbc7b561b1e8

SHA512
984d247dca3d0330e409851d24b880247cc5e9013321e6af8638b8f112fa7e7992ba513641a7809f9c7988c44bdddd3dba6fa0dff37a9a9adac669737709636c

Download Submit
\Users\Admin\AppData\Local\Temp\_6A67.tmpac7d.exe

Filesize
393KB

MD5
9b294d69ec0682b14494653a9838c229

SHA1
78058079e65153323e178a6567875a83c9d7ea76

SHA256
dddcbda51cfc1607588b142b3f4acbcce7f42071adaac0c0933686ff9e71aa53

SHA512
1725efbd29990dbcc6e770d8130f6d37e595946957884bb307a65546483218d4f1584f780f5f0818685b31358668755cd34c3dbda1ae33a5f00e347cf51e0d50

Download Submit
\Users\Admin\AppData\Local\Temp\_6A67.tmpac7d.exe

Filesize
392KB

MD5
59bf96501693749d0dae78bd665eddb1

SHA1
7fccb59e3caac847d9700cd1ba28081f9f661b64

SHA256
78cfe7ba6b2fc4503f01cf01d79bb53563713058f797d9c61e1751417ed85d22

SHA512
d25cbcd81148c14e3a742c7f17b0ea784afa04f9f06f69ef67282c3e42e77cddfdcd9f0aed5211fd054a5cb21187d1c33c37ba52c4bf50a3337b1ced0900e1aa

Download Submit
\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe

Filesize
101KB

MD5
abdef5176736a5c402565e8f50d908e4

SHA1
39f30707d6a2600ba7d6d97a1c732a666dbb3424

SHA256
a417ab65ff13a382cd3e7ee31fcc7947dff4686811381e75e77afda914aef0cf

SHA512
d6d6b9a04a249ccd370487af08d21c39352e327ed24ff013c0076b350b67fbbd32cc5ab4dcfc6d71daf058800a15cd625a5476d02050675fd9d82d6109f9378d

Download Submit
\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe

Filesize
86KB

MD5
37ccfd0ab9180a10bec16e3823e9265c

SHA1
a237bcd8123dbe8f29efa9de3120d6e404abc9db

SHA256
1b629c5249db21c81ac12e6e87790098274af12a1cb907dfb254913eed26094d

SHA512
2e2b77832af6e12b0a5cc23e2ce19befb5b586d9ae9339b590880510dee7f27ffc63d94851f8fab2ccdf6c5bb57479fb8dc1671cccc7a5c280d272dd0f3cbdf9

Download Submit
\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe

Filesize
79KB

MD5
f9d6b7837f03ab07b574acc0cefb5d38

SHA1
67bd19ac3651cd581a4fc62c2c744a8e5bc75bc9

SHA256
c5845a0d75760900526388420fc6c9e1d63b1e90782aca74294e123cdf54a630

SHA512
996a123bd5dfcc58b2ae810e7bbf1f6a3b4997b97a6520e4433d6a370266ab5dff48eaa278eb0df6bfe0321a46f3789702b3f737f051d87c325f2ffb9e76c8a2

Download Submit
\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe

Filesize
114KB

MD5
c69d2e84ae34c20bf824f1467335117c

SHA1
8aa50163bb7f3cc0d9d046f47c66fd29aba94490

SHA256
b9dfea99aa557dee4dfee0dba6da5ec93e1c2d205952ba0358fbcefdb874fc20

SHA512
01c8a9ed1a5d0ca5f3a28467da0c353534860de9968f2774123ba1fcad159f2026b7f5735a693137290215cd9ca8f86d378ac0719c62e182ad79022136af635e

Download Submit
\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe

Filesize
119KB

MD5
df8892c5623e4e746873046185c7f6a0

SHA1
13ef55281fbd6303640645d4563f1d5732c39a8a

SHA256
3133b624fa46b7dff9823716f0848b3ee4481f8fbbedfad4b402483062ccdd6b

SHA512
0b2190a2c654f875839b601c870be8eb830039d6ba44394cfb51575f3865365bb57c978e31ca0c63003b2585ba8f4b5660a0096d47dbc6f5b220fa0bfc87e2cd

Download Submit
\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe

Filesize
1.5MB

MD5
5fad71113e56f9e137a650d63284366c

SHA1
a974ac256bbfefa90bf3f56e89287d5a6b68262a

SHA256
8d7debe76ff5a4c1399dc9077aeaa5852ae4d75791a458f08c5223a5c2aaaf7e

SHA512
7c5235a64f6b51da2f31371eb3a22a5269683676f3deb231322cbf2caec02cf8ea8e51dab35239dae9f3a22975215b5327d62ad4ddb0ee3289d3085ba28da2ac

Download Submit
memory/1768-72-0x0000000000400000-0x0000000001BAC000-memory.dmp

Filesize
23.7MB

Download
memory/1768-73-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1768-66-0x0000000000400000-0x0000000001BAC000-memory.dmp

Filesize
23.7MB

Download
memory/1768-75-0x0000000000400000-0x0000000001BAC000-memory.dmp

Filesize
23.7MB

Download
memory/1768-79-0x0000000000400000-0x0000000001BAC000-memory.dmp

Filesize
23.7MB

Download
memory/1768-67-0x0000000001DF0000-0x00000000020BB000-memory.dmp

Filesize
2.8MB

Download
memory/1768-80-0x0000000000400000-0x0000000001BAC000-memory.dmp

Filesize
23.7MB

Download
memory/1768-63-0x0000000000400000-0x0000000001BAC000-memory.dmp

Filesize
23.7MB

Download
memory/1768-82-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2052-69-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2052-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-78-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2052-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-71-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2052-68-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2132-1-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2132-33-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2132-44-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2132-46-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2132-38-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2132-39-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2132-74-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2132-37-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2132-65-0x00000000040A0000-0x000000000584C000-memory.dmp

Filesize
23.7MB

Download
memory/2132-45-0x0000000000C40000-0x000000000109F000-memory.dmp

Filesize
4.4MB

Download
memory/2132-5-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2132-3-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2132-2-0x0000000000C40000-0x000000000109F000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads