02837e7c28378e0517e0efe433ef3f8e0b4d9daebdb4b9cff0df4ab1ba3ce163

Analysis

max time kernel
116s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cf7335ae9b05e449dacd2b95693ba60.exe
Size

672KB
MD5

2cf7335ae9b05e449dacd2b95693ba60
SHA1

8795ca628e1a7bc0d1f33203af2702a5b7b8bfc8
SHA256

02837e7c28378e0517e0efe433ef3f8e0b4d9daebdb4b9cff0df4ab1ba3ce163
SHA512

2e9cda0631e47533ac5a1e6dfd14a6a770527480068355b0d92ef0da2b8c3bc18910f5a025e3d8aef8840c974e1ec6c1963d543c71a3a3239706111b6286b27b
SSDEEP

12288:neBNUbTVO86UCHruRdp+WA00SKCpVRwfHXSVUhbxk9e/pJu:nJIUCNd0nKwYPX+UhbW9eM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
464	Process not Found
2628	alg.exe
2940	aspnet_state.exe
788	mscorsvw.exe
2396	mscorsvw.exe
2980	mscorsvw.exe
2292	mscorsvw.exe

Loads dropped DLL 4 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\alg.exe	2cf7335ae9b05e449dacd2b95693ba60.exe
File created	\??\c:\windows\system32\nkblidje.tmp	2cf7335ae9b05e449dacd2b95693ba60.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	2cf7335ae9b05e449dacd2b95693ba60.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	2cf7335ae9b05e449dacd2b95693ba60.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\agmdlcfa.tmp	2cf7335ae9b05e449dacd2b95693ba60.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\odpdmhhi.tmp	2cf7335ae9b05e449dacd2b95693ba60.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\difcmalm.tmp	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\plijgbjj.tmp	2cf7335ae9b05e449dacd2b95693ba60.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mhnajccn.tmp	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	2cf7335ae9b05e449dacd2b95693ba60.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	2cf7335ae9b05e449dacd2b95693ba60.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	2cf7335ae9b05e449dacd2b95693ba60.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	2cf7335ae9b05e449dacd2b95693ba60.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	2cf7335ae9b05e449dacd2b95693ba60.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1820	2cf7335ae9b05e449dacd2b95693ba60.exe
Token: SeTakeOwnershipPrivilege	2628	alg.exe

C:\Users\Admin\AppData\Local\Temp\2cf7335ae9b05e449dacd2b95693ba60.exe
"C:\Users\Admin\AppData\Local\Temp\2cf7335ae9b05e449dacd2b95693ba60.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:788

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 170 -NGENProcess 174 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 220 -NGENProcess 208 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  PID:1660

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\aoprpdpa\cmd.exe

Filesize
36KB

MD5
fe0ef2058a05cd0774ce2878cbd0c695

SHA1
ef9d8f1b2d0f270f5e8a216a804979e8c1bcc47f

SHA256
3142940696e30d0311223b1d0d0efb17e891a56e24521ad793dde3c29f4351ee

SHA512
00056ac183c3effcd6affaba43f1822485bff9ed74095727fb08607f9fd2a5c6f668efbeb8f72ed186cbcc4b4b6c49f360cc10306a34475b8be7b008ca5c4e84

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1KB

MD5
acb35c3a1e3b29d2a353d7709dca4dde

SHA1
bf8efc25caae3af811dc65d9ba2016c491437f38

SHA256
503b7ec615363b508f91e947f1bf45cd87021e74247ed920745bbb3967abcbc4

SHA512
8a973379ea278ad95c9a150c91bb3f8fbdc71886c30a5b18c8fb179193140e9cb9c946b6625b94f9179a7cf43647a50677ac6a928b28da672c71aec75db92443

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
14KB

MD5
1e2d6f83d4587e35eefa46ed89e1a224

SHA1
06c39610359560657979facfaa12ef4b88986278

SHA256
9f0d822023704b8199d47850fa8af60de4116f2d8f6c8bcfe5ea99b72828766a

SHA512
507430bddc90a973e1a09887aed1da8a642d185a9e55ea0350806cc5ec8c7d3051dd50444f08515b69214d70bcd6703ccfe2af91b6cda33dff1e6fc2a81c642f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
41KB

MD5
d3dec3ba6563ecaaccc6899132d1038c

SHA1
625b240e44fdf32069e46906f2cc76adf7b84708

SHA256
8f174cbb1471cd11dfeb425c8708a25c5ef92957edee869c40a9625cceee4e19

SHA512
156df33d8806d0b2f0a4c5676599688dc1e61d76c4ee0fd54181561219d7cc8a619661371d78085f56584aa87d14a50bde9b96b0095df3299cac3e0da81d5ac0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
119KB

MD5
0fde4752fdfee5f45ba31f0a18b961a7

SHA1
558d6f7d1a395be300d6d8e713bd3edf057c50dd

SHA256
6a27c318be568645475bfd588b4e6b1cc44b3d6b691aed1d51629792b58c5e5e

SHA512
d3c170bfbd63091d56f25931e29fbff9ad0c68c74069f7ef57e29563b36f8ce80047f8acc01119057d82ff213127fe8e857f947e3b5fa4dcd69aabb9fad303d8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
47KB

MD5
c2020b60e1a36e96ceec922d49a42030

SHA1
76ab3bfecd4eb9db0fba0fc5b121149888f7cfbf

SHA256
5fa4ed0831c1a011695b314e14f40229f24beba0918143dbd100dd1dcda72917

SHA512
f237df447f5057be448f6a500bae562c3d4c6d15bbce61b4b2dccc8beb0f75f83db0308443b445e6665d9161a08f89962a9ac1a65fb5ba310a1821e41c12a4e0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1KB

MD5
632af1b877b07b0463ecbb4d9db64f4b

SHA1
45dbcfa023f7081c2705a4de832df73418fe9027

SHA256
5efb179ceba9bf74719528e5f9c646a1b229728ca132dcc0d8613939168563ec

SHA512
b4bd5a8ccf459bb8a019c910bf3b6205144e03c8d6654ef1aaff79705451816f5132b652abe069c55e786355411dd0b99918f536128be746066002c33095654f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
21KB

MD5
b77ac0d32c2e5f21138dcd557584433c

SHA1
e80f95bfc69406849e645096380c594b5ce1a6b2

SHA256
62eebaca4585ce91d03a71f55755ae323dc669dfe5ac6ad86f869a72614c398c

SHA512
550d416a45c7c29b62b68c500dffe2da1b1e2bc7f3dc35ce9bb8ed0ca71ad9307b85b7d744746a7e561e9a2cc97eb3c4e0a3a806f8b3bae6f48d04479946ffb1

Download Submit
C:\Windows\System32\alg.exe

Filesize
55KB

MD5
a6e939011959c3f9a715c1fbe2d29509

SHA1
9193f1459bff286445f5f174ddc7fdd3b3e9f8b6

SHA256
49f606911a331062f7aa598a517a68ac17ea5728c66ad38188e35dd4dc342987

SHA512
e1ca02efb33796d5f19aa1cda68eb3552d355d55eb1d92571a0d735956d9b5d0e6287f5257beb79df428148221cb438e04dfe96a05743ad7aa12dd8a4ebf8440

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
40KB

MD5
aa4f53c28320097db21653d4638a51fb

SHA1
c8b5473ef57097bfe19e42e68bfc87573cb6ea9f

SHA256
86ef4c2b39e199f4d24851858dd6f60fb11b4a9bed068c3373977dbf7a9109d7

SHA512
5c77ca9dddce5e47e3215073fbe8aee58856cc4410434179f02b7bfcdfb255a859e01af9d2a9f3c53f253eaed315f2a82c5626066d048bda1e4c1abecb366dd1

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe

Filesize
13KB

MD5
03a04106d4efaf370f148772cf23a457

SHA1
d907900f1a2649142420e4e13a2461571d2f1cc4

SHA256
0e316beabb68c2fbfc7ace3ed0e1fd566e414c8730b807db2c4d4b4c8abf223b

SHA512
8f2df6096d9afeeaf9728203711f6f5a8c507af114485684988937db90af50af5f343250779b904a887e44af75255038955b2d5f6ca604ceb897a8b42e6f49cf

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
10KB

MD5
01002fe17626a64b178dbbe9b1ad12c6

SHA1
0a3242c7cb55b4e4887522475a91a0ef2b547c6b

SHA256
334bb57137ab3ba50750596b850f3216563a2c8078ea1eda225a8b7785f2205b

SHA512
14f2bae45cb312fd94d4f302b5330090319e7563580a5f152b03bfa37953b7ed12a06a46ea2a4511a9ca544147b7fafd36aeb2728aae75aeac4489246ea783ba

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
17KB

MD5
04fb053dc9a04f4b37d33b2ad46952cf

SHA1
1589909909eaf6d80399bc48fa56ea8a94b57545

SHA256
697cc7c05bffc441066cfb820488796eba3d0eeae27a0ea151968b0e3b2555b3

SHA512
656e80e633ba7b67d196949e22b39cbad1e97b5c8121fbb54dee2fd909a16f2d145c654fdd5b1d0229b3ce846487be81779bb8eb50255ef684ef7a93e34da549

Download Submit
\Windows\System32\alg.exe

Filesize
10KB

MD5
936c7b2fcbdf92d5a93c0b9e0ddbb0f9

SHA1
8f42575d9f9a3beda94c537a7764f656406a0f83

SHA256
2d4e39480991d7eceda8c30c48179c9f8399b567f89577c3774c14b324d47c2d

SHA512
84f38b195c9ba3509950c6c97673507fed9419754169ba707f83edd53ed3309ba5f44a72c9818e700720ff1a2f2b4324d623e8f9bd72e38a0b008ef325660f08

Download Submit
\Windows\System32\dllhost.exe

Filesize
9KB

MD5
dda12bc9d03a4b2ad5941301a648c83f

SHA1
31780bad438f3fca63bb37b9e469d2d3c1ab028f

SHA256
db23f1c5477e2453593530519c023f883968b0b83f616ae460fc9e4c92980afb

SHA512
107978121e32061eb81c6a18e08a3d8bba1ab1da26313fa143dc900fea532a812d8e2f0e5ae78395f9823b64e6444ba0a2278f2bbcbe7a6c036ae8473897f997

Download Submit
\Windows\System32\dllhost.exe

Filesize
17KB

MD5
cde2d00a91491cbe21a69dda71b41ad1

SHA1
3ae5e641e3c39fe2d0cc274be471a8d884667afe

SHA256
b9565b16da01d29558af6c45a4b14aa66a7ee2381609fd42a9bd43848e4928a5

SHA512
bcdf47f94eacde8de9001cc39232aa4ac02dfe513d0eac9b7e08d3a64149840395f53806bb73584c820ad14fdebef32d61ea4d2f2d56151e9057c76392852380

Download Submit
memory/788-35-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/788-42-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/788-34-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/828-96-0x00000000FF490000-0x00000000FF54E000-memory.dmp

Filesize
760KB

Download
memory/828-97-0x00000000FF490000-0x00000000FF54E000-memory.dmp

Filesize
760KB

Download
memory/1660-123-0x000000013F4A0000-0x000000013F577000-memory.dmp

Filesize
860KB

Download
memory/1660-120-0x000000013F4A0000-0x000000013F577000-memory.dmp

Filesize
860KB

Download
memory/1820-0-0x000000013F370000-0x000000013F470000-memory.dmp

Filesize
1024KB

Download
memory/1820-3-0x000000013F370000-0x000000013F470000-memory.dmp

Filesize
1024KB

Download
memory/1820-11-0x000000013F370000-0x000000013F470000-memory.dmp

Filesize
1024KB

Download
memory/1820-1-0x000000013F370000-0x000000013F470000-memory.dmp

Filesize
1024KB

Download
memory/2040-94-0x000000013F4A0000-0x000000013F577000-memory.dmp

Filesize
860KB

Download
memory/2040-114-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2040-87-0x000000013F4A0000-0x000000013F577000-memory.dmp

Filesize
860KB

Download
memory/2040-121-0x000000013F4A0000-0x000000013F577000-memory.dmp

Filesize
860KB

Download
memory/2292-75-0x000000013F4A0000-0x000000013F577000-memory.dmp

Filesize
860KB

Download
memory/2292-76-0x000000013F4A0000-0x000000013F577000-memory.dmp

Filesize
860KB

Download
memory/2292-122-0x000000013F4A0000-0x000000013F577000-memory.dmp

Filesize
860KB

Download
memory/2396-64-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/2396-56-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/2396-55-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/2628-19-0x00000000FF030000-0x00000000FF0FD000-memory.dmp

Filesize
820KB

Download
memory/2628-69-0x00000000FF030000-0x00000000FF0FD000-memory.dmp

Filesize
820KB

Download
memory/2628-28-0x00000000FF030000-0x00000000FF0FD000-memory.dmp

Filesize
820KB

Download
memory/2628-18-0x00000000FF030000-0x00000000FF0FD000-memory.dmp

Filesize
820KB

Download
memory/2940-70-0x000000013F520000-0x000000013F5E6000-memory.dmp

Filesize
792KB

Download
memory/2940-26-0x000000013F520000-0x000000013F5E6000-memory.dmp

Filesize
792KB

Download
memory/2940-27-0x000000013F520000-0x000000013F5E6000-memory.dmp

Filesize
792KB

Download