Analysis
-
max time kernel
141s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 09:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
316eb3f6e252e406b1815bd650088156.exe
Resource
win7-20231129-en
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
316eb3f6e252e406b1815bd650088156.exe
Resource
win10v2004-20231215-en
12 signatures
150 seconds
General
-
Target
316eb3f6e252e406b1815bd650088156.exe
-
Size
303KB
-
MD5
316eb3f6e252e406b1815bd650088156
-
SHA1
b666bcf5ece3cbdf49e66556820bcc87f8d21886
-
SHA256
ef1f7115e0dedca5a41da22ac3476c3f1a27bb21e77c6ad6eaaac5843f3b9788
-
SHA512
22efbc31f96db16eaa0312c264447444cde6a3f7476a7aed1f5603e727a9b908515dcf373db080943f6fe8808d7f60cba4b1273770966add3ecddbcde50c1561
-
SSDEEP
6144:ZmOf3vF/m6O79bTvejWVpyLtK42stFdeU7tLzpvIj2JClKD11QNI:xvFej79bTejWvI7FdV7BVwj2BrQK
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
pid Process 3064 A_v_DVD.dll 2560 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 2600 services.exe 2480 A_v_AuTo.dll 2964 services.exe 592 A_v_AuTo.dll 476 services.exe 2240 A_v_TT.dll -
Loads dropped DLL 31 IoCs
pid Process 2948 316eb3f6e252e406b1815bd650088156.exe 3064 A_v_DVD.dll 3064 A_v_DVD.dll 3064 A_v_DVD.dll 3064 A_v_DVD.dll 3064 A_v_DVD.dll 2560 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 2560 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 2560 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 2948 316eb3f6e252e406b1815bd650088156.exe 2948 316eb3f6e252e406b1815bd650088156.exe 2600 services.exe 2600 services.exe 2600 services.exe 2948 316eb3f6e252e406b1815bd650088156.exe 2948 316eb3f6e252e406b1815bd650088156.exe 2480 A_v_AuTo.dll 2480 A_v_AuTo.dll 2480 A_v_AuTo.dll 2480 A_v_AuTo.dll 2480 A_v_AuTo.dll 2964 services.exe 2964 services.exe 2964 services.exe 592 A_v_AuTo.dll 592 A_v_AuTo.dll 2948 316eb3f6e252e406b1815bd650088156.exe 2948 316eb3f6e252e406b1815bd650088156.exe 2240 A_v_TT.dll 2240 A_v_TT.dll 2240 A_v_TT.dll -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe" A_v_AuTo.dll -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dvd.ocx 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\services.exe 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.ocx 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll 316eb3f6e252e406b1815bd650088156.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_Tj.ocx 316eb3f6e252e406b1815bd650088156.exe File opened for modification C:\Program Files\Common Files\Au_ing_Code.ini services.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dw.ocx 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_bind.au 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Au_ing_Code.ini services.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll 316eb3f6e252e406b1815bd650088156.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\services.exe 316eb3f6e252e406b1815bd650088156.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2480 A_v_AuTo.dll 2480 A_v_AuTo.dll 2480 A_v_AuTo.dll 592 A_v_AuTo.dll 592 A_v_AuTo.dll 592 A_v_AuTo.dll 2240 A_v_TT.dll 2240 A_v_TT.dll 2240 A_v_TT.dll 2240 A_v_TT.dll -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2600 services.exe Token: SeDebugPrivilege 476 services.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2560 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 2560 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 2560 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2560 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 2560 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 2560 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2240 A_v_TT.dll 2240 A_v_TT.dll -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2948 wrote to memory of 3064 2948 316eb3f6e252e406b1815bd650088156.exe 29 PID 2948 wrote to memory of 3064 2948 316eb3f6e252e406b1815bd650088156.exe 29 PID 2948 wrote to memory of 3064 2948 316eb3f6e252e406b1815bd650088156.exe 29 PID 2948 wrote to memory of 3064 2948 316eb3f6e252e406b1815bd650088156.exe 29 PID 2948 wrote to memory of 3064 2948 316eb3f6e252e406b1815bd650088156.exe 29 PID 2948 wrote to memory of 3064 2948 316eb3f6e252e406b1815bd650088156.exe 29 PID 2948 wrote to memory of 3064 2948 316eb3f6e252e406b1815bd650088156.exe 29 PID 3064 wrote to memory of 2560 3064 A_v_DVD.dll 28 PID 3064 wrote to memory of 2560 3064 A_v_DVD.dll 28 PID 3064 wrote to memory of 2560 3064 A_v_DVD.dll 28 PID 3064 wrote to memory of 2560 3064 A_v_DVD.dll 28 PID 3064 wrote to memory of 2560 3064 A_v_DVD.dll 28 PID 3064 wrote to memory of 2560 3064 A_v_DVD.dll 28 PID 3064 wrote to memory of 2560 3064 A_v_DVD.dll 28 PID 2948 wrote to memory of 2600 2948 316eb3f6e252e406b1815bd650088156.exe 30 PID 2948 wrote to memory of 2600 2948 316eb3f6e252e406b1815bd650088156.exe 30 PID 2948 wrote to memory of 2600 2948 316eb3f6e252e406b1815bd650088156.exe 30 PID 2948 wrote to memory of 2600 2948 316eb3f6e252e406b1815bd650088156.exe 30 PID 2948 wrote to memory of 2600 2948 316eb3f6e252e406b1815bd650088156.exe 30 PID 2948 wrote to memory of 2600 2948 316eb3f6e252e406b1815bd650088156.exe 30 PID 2948 wrote to memory of 2600 2948 316eb3f6e252e406b1815bd650088156.exe 30 PID 2948 wrote to memory of 2480 2948 316eb3f6e252e406b1815bd650088156.exe 34 PID 2948 wrote to memory of 2480 2948 316eb3f6e252e406b1815bd650088156.exe 34 PID 2948 wrote to memory of 2480 2948 316eb3f6e252e406b1815bd650088156.exe 34 PID 2948 wrote to memory of 2480 2948 316eb3f6e252e406b1815bd650088156.exe 34 PID 2948 wrote to memory of 2480 2948 316eb3f6e252e406b1815bd650088156.exe 34 PID 2948 wrote to memory of 2480 2948 316eb3f6e252e406b1815bd650088156.exe 34 PID 2948 wrote to memory of 2480 2948 316eb3f6e252e406b1815bd650088156.exe 34 PID 2480 wrote to memory of 2964 2480 A_v_AuTo.dll 33 PID 2480 wrote to memory of 2964 2480 A_v_AuTo.dll 33 PID 2480 wrote to memory of 2964 2480 A_v_AuTo.dll 33 PID 2480 wrote to memory of 2964 2480 A_v_AuTo.dll 33 PID 2480 wrote to memory of 2964 2480 A_v_AuTo.dll 33 PID 2480 wrote to memory of 2964 2480 A_v_AuTo.dll 33 PID 2480 wrote to memory of 2964 2480 A_v_AuTo.dll 33 PID 592 wrote to memory of 476 592 A_v_AuTo.dll 31 PID 592 wrote to memory of 476 592 A_v_AuTo.dll 31 PID 592 wrote to memory of 476 592 A_v_AuTo.dll 31 PID 592 wrote to memory of 476 592 A_v_AuTo.dll 31 PID 2948 wrote to memory of 2240 2948 316eb3f6e252e406b1815bd650088156.exe 37 PID 2948 wrote to memory of 2240 2948 316eb3f6e252e406b1815bd650088156.exe 37 PID 2948 wrote to memory of 2240 2948 316eb3f6e252e406b1815bd650088156.exe 37 PID 2948 wrote to memory of 2240 2948 316eb3f6e252e406b1815bd650088156.exe 37 PID 2948 wrote to memory of 2240 2948 316eb3f6e252e406b1815bd650088156.exe 37 PID 2948 wrote to memory of 2240 2948 316eb3f6e252e406b1815bd650088156.exe 37 PID 2948 wrote to memory of 2240 2948 316eb3f6e252e406b1815bd650088156.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe"C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064
-
-
C:\Program Files\Common Files\Microsoft Shared\services.exe"C:\Program Files\Common Files\Microsoft Shared\services.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480
-
-
C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe"C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2560
-
C:\Program Files\Common Files\Microsoft Shared\services.exe"C:\Program Files\Common Files\Microsoft Shared\services.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:476
-
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592
-
C:\Program Files\Common Files\Microsoft Shared\services.exe"C:\Program Files\Common Files\Microsoft Shared\services.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964