Analysis
-
max time kernel
109s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 09:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
316eb3f6e252e406b1815bd650088156.exe
Resource
win7-20231129-en
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
316eb3f6e252e406b1815bd650088156.exe
Resource
win10v2004-20231215-en
12 signatures
150 seconds
General
-
Target
316eb3f6e252e406b1815bd650088156.exe
-
Size
303KB
-
MD5
316eb3f6e252e406b1815bd650088156
-
SHA1
b666bcf5ece3cbdf49e66556820bcc87f8d21886
-
SHA256
ef1f7115e0dedca5a41da22ac3476c3f1a27bb21e77c6ad6eaaac5843f3b9788
-
SHA512
22efbc31f96db16eaa0312c264447444cde6a3f7476a7aed1f5603e727a9b908515dcf373db080943f6fe8808d7f60cba4b1273770966add3ecddbcde50c1561
-
SSDEEP
6144:ZmOf3vF/m6O79bTvejWVpyLtK42stFdeU7tLzpvIj2JClKD11QNI:xvFej79bTejWvI7FdV7BVwj2BrQK
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
pid Process 3588 A_v_DVD.dll 3888 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 4680 services.exe 4120 A_v_AuTo.dll 1992 services.exe 3788 A_v_AuTo.dll 5080 services.exe 4628 A_v_TT.dll -
resource yara_rule behavioral2/memory/4120-54-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/3788-46-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/4120-39-0x0000000000400000-0x0000000000415000-memory.dmp upx -
resource yara_rule behavioral2/memory/4628-72-0x0000000000400000-0x0000000000417000-memory.dmp vmprotect behavioral2/memory/4628-70-0x0000000000400000-0x0000000000417000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe" A_v_AuTo.dll Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe" A_v_AuTo.dll -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dw.ocx 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\services.exe 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll 316eb3f6e252e406b1815bd650088156.exe File opened for modification C:\Program Files\Common Files\Au_ing_Code.ini services.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dvd.ocx 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Au_ing_Code.ini services.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\services.exe 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll 316eb3f6e252e406b1815bd650088156.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_Tj.ocx 316eb3f6e252e406b1815bd650088156.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll 316eb3f6e252e406b1815bd650088156.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.ocx 316eb3f6e252e406b1815bd650088156.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_bind.au 316eb3f6e252e406b1815bd650088156.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1248 4680 WerFault.exe 99 2836 5080 WerFault.exe 105 -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4120 A_v_AuTo.dll 4120 A_v_AuTo.dll 4120 A_v_AuTo.dll 4120 A_v_AuTo.dll 4120 A_v_AuTo.dll 4120 A_v_AuTo.dll 3788 A_v_AuTo.dll 3788 A_v_AuTo.dll 3788 A_v_AuTo.dll 3788 A_v_AuTo.dll 3788 A_v_AuTo.dll 3788 A_v_AuTo.dll 4628 A_v_TT.dll 4628 A_v_TT.dll 4628 A_v_TT.dll 4628 A_v_TT.dll 4628 A_v_TT.dll 4628 A_v_TT.dll 4628 A_v_TT.dll 4628 A_v_TT.dll -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4680 services.exe Token: SeDebugPrivilege 5080 services.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3888 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 3888 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 3888 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3888 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 3888 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe 3888 KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4628 A_v_TT.dll 4628 A_v_TT.dll -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5116 wrote to memory of 3588 5116 316eb3f6e252e406b1815bd650088156.exe 48 PID 5116 wrote to memory of 3588 5116 316eb3f6e252e406b1815bd650088156.exe 48 PID 5116 wrote to memory of 3588 5116 316eb3f6e252e406b1815bd650088156.exe 48 PID 3588 wrote to memory of 3888 3588 A_v_DVD.dll 49 PID 3588 wrote to memory of 3888 3588 A_v_DVD.dll 49 PID 3588 wrote to memory of 3888 3588 A_v_DVD.dll 49 PID 5116 wrote to memory of 4680 5116 316eb3f6e252e406b1815bd650088156.exe 99 PID 5116 wrote to memory of 4680 5116 316eb3f6e252e406b1815bd650088156.exe 99 PID 5116 wrote to memory of 4680 5116 316eb3f6e252e406b1815bd650088156.exe 99 PID 5116 wrote to memory of 4120 5116 316eb3f6e252e406b1815bd650088156.exe 103 PID 5116 wrote to memory of 4120 5116 316eb3f6e252e406b1815bd650088156.exe 103 PID 5116 wrote to memory of 4120 5116 316eb3f6e252e406b1815bd650088156.exe 103 PID 4120 wrote to memory of 1992 4120 A_v_AuTo.dll 106 PID 4120 wrote to memory of 1992 4120 A_v_AuTo.dll 106 PID 4120 wrote to memory of 1992 4120 A_v_AuTo.dll 106 PID 3788 wrote to memory of 5080 3788 A_v_AuTo.dll 105 PID 3788 wrote to memory of 5080 3788 A_v_AuTo.dll 105 PID 3788 wrote to memory of 5080 3788 A_v_AuTo.dll 105 PID 5116 wrote to memory of 4628 5116 316eb3f6e252e406b1815bd650088156.exe 109 PID 5116 wrote to memory of 4628 5116 316eb3f6e252e406b1815bd650088156.exe 109 PID 5116 wrote to memory of 4628 5116 316eb3f6e252e406b1815bd650088156.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe"C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe"C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3888
-
-
-
C:\Program Files\Common Files\Microsoft Shared\services.exe"C:\Program Files\Common Files\Microsoft Shared\services.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 5483⤵
- Program crash
PID:1248
-
-
-
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Program Files\Common Files\Microsoft Shared\services.exe"C:\Program Files\Common Files\Microsoft Shared\services.exe"3⤵
- Executes dropped EXE
PID:1992
-
-
-
C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4628
-
-
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Program Files\Common Files\Microsoft Shared\services.exe"C:\Program Files\Common Files\Microsoft Shared\services.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 5203⤵
- Program crash
PID:2836
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4680 -ip 46801⤵PID:944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5080 -ip 50801⤵PID:3932