fd8e28418f1ccd48b7e4302e641e9a62e4016c72e631a66f367ce35881604996

Analysis

max time kernel
149s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1af9622916017e1f48dc638c8bab08b9.exe
Size

744KB
MD5

1af9622916017e1f48dc638c8bab08b9
SHA1

5ffa8b669742bdf538bb59bba8e770b7818aeafb
SHA256

fd8e28418f1ccd48b7e4302e641e9a62e4016c72e631a66f367ce35881604996
SHA512

9bb9ba1dbfb002ebf96f787e9e015c6e5d73bbf2754c488b18bcf8d7c0b64efb8a669a91c89c54da2f1662abe68e474ecd9705ec847dbab40599d5017a229a80
SSDEEP

12288:7aqFlXTPhvHA7azeJYp0DmuLb5DZZc32zKzft0JVZpezQIEDiyYzX9kale9A:7aqFR9A7aCTC65LcYJDaD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1400	svchost.exe
2012	1af9622916017e1f48dc638c8bab08b9.exe
4056	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	1af9622916017e1f48dc638c8bab08b9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2700	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2700	AUDIODG.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 1400	3696	1af9622916017e1f48dc638c8bab08b9.exe	87
PID 3696 wrote to memory of 1400	3696	1af9622916017e1f48dc638c8bab08b9.exe	87
PID 3696 wrote to memory of 1400	3696	1af9622916017e1f48dc638c8bab08b9.exe	87
PID 1400 wrote to memory of 2012	1400	svchost.exe	88
PID 1400 wrote to memory of 2012	1400	svchost.exe	88
PID 1400 wrote to memory of 2012	1400	svchost.exe	88

C:\Users\Admin\AppData\Local\Temp\1af9622916017e1f48dc638c8bab08b9.exe
"C:\Users\Admin\AppData\Local\Temp\1af9622916017e1f48dc638c8bab08b9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\1af9622916017e1f48dc638c8bab08b9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\1af9622916017e1f48dc638c8bab08b9.exe
    "C:\Users\Admin\AppData\Local\Temp\1af9622916017e1f48dc638c8bab08b9.exe"
    3⤵
    - Executes dropped EXE
    PID:2012

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1af9622916017e1f48dc638c8bab08b9.exe

Filesize
709KB

MD5
9442fdbf52d02b679f63e361d8689ea0

SHA1
258dae91bf8ea77f7a8da207a6072e2a5e14aa32

SHA256
03774e07708904f5bcf4f0e9cc49cc55f119b7ec52492e13fc6941e48b3ce6cb

SHA512
3a71a2dbe1bf6708fe84ce1efaf28031172f37a152ded10006a8b6bf05d268a711b72ad5e28334c8723f0655d885fe6897265b9436e09deb78f467d7e5ef281c

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
345861f739ef259c33abc7ef49b81694

SHA1
3b6aff327d91e66a207c0557eac6ddefab104598

SHA256
fc3220611aded768e37b125c4e4d5a8ffdbf7dfa8d8c19c07c7791b486457948

SHA512
7b0aae948a594f29125a3e80f6c2b51421cda07f5ee4554538037f12b87d4b3937ee74fb400505efcd2a953c897a49d79d875148516dcef619c514251854dfad

Download Submit
memory/1400-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3696-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4056-14-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4056-17-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4056-24-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download