Analysis

  • max time kernel
    109s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 09:46

General

  • Target

    316eb3f6e252e406b1815bd650088156.exe

  • Size

    303KB

  • MD5

    316eb3f6e252e406b1815bd650088156

  • SHA1

    b666bcf5ece3cbdf49e66556820bcc87f8d21886

  • SHA256

    ef1f7115e0dedca5a41da22ac3476c3f1a27bb21e77c6ad6eaaac5843f3b9788

  • SHA512

    22efbc31f96db16eaa0312c264447444cde6a3f7476a7aed1f5603e727a9b908515dcf373db080943f6fe8808d7f60cba4b1273770966add3ecddbcde50c1561

  • SSDEEP

    6144:ZmOf3vF/m6O79bTvejWVpyLtK42stFdeU7tLzpvIj2JClKD11QNI:xvFej79bTejWvI7FdV7BVwj2BrQK

Malware Config

Signatures

  • Executes dropped EXE 8 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe
    "C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
      "C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe
        "C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3888
    • C:\Program Files\Common Files\Microsoft Shared\services.exe
      "C:\Program Files\Common Files\Microsoft Shared\services.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4680
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 548
        3⤵
        • Program crash
        PID:1248
    • C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
      "C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Program Files\Common Files\Microsoft Shared\services.exe
        "C:\Program Files\Common Files\Microsoft Shared\services.exe"
        3⤵
        • Executes dropped EXE
        PID:1992
    • C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
      "C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4628
  • C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
    "C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Program Files\Common Files\Microsoft Shared\services.exe
      "C:\Program Files\Common Files\Microsoft Shared\services.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:5080
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 520
        3⤵
        • Program crash
        PID:2836
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4680 -ip 4680
    1⤵
      PID:944
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5080 -ip 5080
      1⤵
        PID:3932

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1992-41-0x0000000000400000-0x0000000000417AB9-memory.dmp

              Filesize

              94KB

            • memory/1992-44-0x00000000023E0000-0x000000000242B000-memory.dmp

              Filesize

              300KB

            • memory/1992-42-0x0000000000400000-0x0000000000417AB9-memory.dmp

              Filesize

              94KB

            • memory/1992-47-0x0000000000400000-0x0000000000417AB9-memory.dmp

              Filesize

              94KB

            • memory/3588-7-0x00000000001C0000-0x00000000001C2000-memory.dmp

              Filesize

              8KB

            • memory/3588-6-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

            • memory/3588-8-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

            • memory/3588-23-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

            • memory/3588-31-0x00000000001C0000-0x00000000001C2000-memory.dmp

              Filesize

              8KB

            • memory/3788-46-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

            • memory/3888-14-0x0000000000400000-0x0000000000441000-memory.dmp

              Filesize

              260KB

            • memory/4120-39-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

            • memory/4120-54-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

            • memory/4628-72-0x0000000000400000-0x0000000000417000-memory.dmp

              Filesize

              92KB

            • memory/4628-70-0x0000000000400000-0x0000000000417000-memory.dmp

              Filesize

              92KB

            • memory/4680-29-0x0000000000400000-0x0000000000417AB9-memory.dmp

              Filesize

              94KB

            • memory/4680-25-0x0000000000400000-0x0000000000417AB9-memory.dmp

              Filesize

              94KB

            • memory/4680-26-0x00000000022A0000-0x00000000022EB000-memory.dmp

              Filesize

              300KB

            • memory/4680-27-0x0000000002520000-0x0000000002521000-memory.dmp

              Filesize

              4KB

            • memory/4680-28-0x0000000002510000-0x0000000002511000-memory.dmp

              Filesize

              4KB

            • memory/4680-24-0x0000000000400000-0x0000000000417AB9-memory.dmp

              Filesize

              94KB

            • memory/5080-52-0x00000000011E0000-0x00000000011E1000-memory.dmp

              Filesize

              4KB

            • memory/5080-48-0x0000000000400000-0x0000000000417AB9-memory.dmp

              Filesize

              94KB

            • memory/5080-53-0x00000000011D0000-0x00000000011D1000-memory.dmp

              Filesize

              4KB

            • memory/5080-55-0x0000000000400000-0x0000000000417AB9-memory.dmp

              Filesize

              94KB

            • memory/5080-56-0x0000000000F60000-0x0000000000FAB000-memory.dmp

              Filesize

              300KB