Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 11:59
Static task
static1
Behavioral task
behavioral1
Sample
35571756db6a05c766ae0db158457790.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
35571756db6a05c766ae0db158457790.exe
Resource
win10v2004-20231215-en
General
-
Target
35571756db6a05c766ae0db158457790.exe
-
Size
310KB
-
MD5
35571756db6a05c766ae0db158457790
-
SHA1
c8b8f083a1571cbfd0ddf07c2643771efc2a0584
-
SHA256
06aa7af64996fbcdc485c56a41c2bcf169445bbc2d12a3674c943e15e66f61f1
-
SHA512
0bd1f78a0875f390ff8ae1245285a4e046da3e38eb1b8a0807f81a9b2f624de37b638d7f90fbf17f5d0b69ad40121c1603ba2191b551926460499a21130ea3ce
-
SSDEEP
6144:dxOf3vF/mc2G9bj9DoktMF0DWBkzoD/4FvLCQtprb7xJdxsZerHt:svFeVG9bZS0aizJvLC8prPxJdxO+
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 1612 A_v_DVD.dll 4348 5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe 4764 services.exe 620 A_v_AuTo.dll 4184 services.exe 1240 A_v_TT.dll -
resource yara_rule behavioral2/memory/620-35-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral2/files/0x0006000000023230-33.dat upx behavioral2/memory/620-32-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral2/files/0x0006000000023230-31.dat upx -
resource yara_rule behavioral2/memory/1240-46-0x0000000000400000-0x0000000000417000-memory.dmp vmprotect behavioral2/memory/1240-44-0x0000000000400000-0x0000000000417000-memory.dmp vmprotect behavioral2/files/0x000600000002323d-43.dat vmprotect behavioral2/memory/1240-50-0x0000000000400000-0x0000000000417000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe" A_v_AuTo.dll -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dvd.ocx 35571756db6a05c766ae0db158457790.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\services.exe 35571756db6a05c766ae0db158457790.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_bind.au 35571756db6a05c766ae0db158457790.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll 35571756db6a05c766ae0db158457790.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll 35571756db6a05c766ae0db158457790.exe File created C:\Program Files\Common Files\Au_ing_Code.ini services.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll 35571756db6a05c766ae0db158457790.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.ocx 35571756db6a05c766ae0db158457790.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll 35571756db6a05c766ae0db158457790.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll 35571756db6a05c766ae0db158457790.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dw.ocx 35571756db6a05c766ae0db158457790.exe File created C:\Program Files\Common Files\Microsoft Shared\services.exe 35571756db6a05c766ae0db158457790.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_Tj.ocx 35571756db6a05c766ae0db158457790.exe File created C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll 35571756db6a05c766ae0db158457790.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 620 A_v_AuTo.dll 620 A_v_AuTo.dll 620 A_v_AuTo.dll 620 A_v_AuTo.dll 620 A_v_AuTo.dll 620 A_v_AuTo.dll -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4764 services.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4348 5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe 4348 5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe 4348 5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4348 5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe 4348 5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe 4348 5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1240 A_v_TT.dll 1240 A_v_TT.dll -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4896 wrote to memory of 1612 4896 35571756db6a05c766ae0db158457790.exe 91 PID 4896 wrote to memory of 1612 4896 35571756db6a05c766ae0db158457790.exe 91 PID 4896 wrote to memory of 1612 4896 35571756db6a05c766ae0db158457790.exe 91 PID 1612 wrote to memory of 4348 1612 A_v_DVD.dll 92 PID 1612 wrote to memory of 4348 1612 A_v_DVD.dll 92 PID 1612 wrote to memory of 4348 1612 A_v_DVD.dll 92 PID 4896 wrote to memory of 4764 4896 35571756db6a05c766ae0db158457790.exe 93 PID 4896 wrote to memory of 4764 4896 35571756db6a05c766ae0db158457790.exe 93 PID 4896 wrote to memory of 4764 4896 35571756db6a05c766ae0db158457790.exe 93 PID 4896 wrote to memory of 620 4896 35571756db6a05c766ae0db158457790.exe 101 PID 4896 wrote to memory of 620 4896 35571756db6a05c766ae0db158457790.exe 101 PID 4896 wrote to memory of 620 4896 35571756db6a05c766ae0db158457790.exe 101 PID 620 wrote to memory of 4184 620 A_v_AuTo.dll 103 PID 620 wrote to memory of 4184 620 A_v_AuTo.dll 103 PID 620 wrote to memory of 4184 620 A_v_AuTo.dll 103 PID 4896 wrote to memory of 1240 4896 35571756db6a05c766ae0db158457790.exe 107 PID 4896 wrote to memory of 1240 4896 35571756db6a05c766ae0db158457790.exe 107 PID 4896 wrote to memory of 1240 4896 35571756db6a05c766ae0db158457790.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe"C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe"C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4348
-
-
-
C:\Program Files\Common Files\Microsoft Shared\services.exe"C:\Program Files\Common Files\Microsoft Shared\services.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Program Files\Common Files\Microsoft Shared\services.exe"C:\Program Files\Common Files\Microsoft Shared\services.exe"3⤵
- Executes dropped EXE
PID:4184
-
-
-
C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
893KB
MD5313fedb748b07089fda25cdfdccf7e48
SHA162a0ed3d22f2573bee2366c16d5021d1f9948284
SHA256388d77eef7650bbffc78ce91dc225c34e2170e9aff4e77e1d83414ac7220f227
SHA51203e819805727890b234d0e8a3b6720bb7855f2af8cbc51b358ec6a99649ef358db78ede28f4643d78c4962d1ab2ef065c21ff63a0432b62dd5fb976add15536e
-
Filesize
29.4MB
MD509f98253bf84311ae590f3d826bd21fe
SHA18ed5f8d5b66440839ac97e8bc04d17ada1087223
SHA256cf29d7e361cfa52092826b893fac140365e628340b7cafa0e9f9df4104a72fa5
SHA5129106087306e87a1d4eec281917586bd3cffeeb41b50cdfc1ec1e499950e457b4d07bc7fa0322011d576bd7784ccd9304364414bf47fe658f2021ef39d33f1d5f
-
Filesize
2.1MB
MD58df2f6666c334bc4ffd9f1805435ffe6
SHA156902be4a106d231fef4aa18172f38de8e5bd644
SHA25696fa43a9472e69fa19dfdc52822d7113367cbfe6e5efade176bbf44b2c7e8721
SHA51286b49ff8a4ed3440b7bf8235afadf7e940f7b5fe550f44b564cdf154caae49bb5f9699942a5411f5eb74c57bef13a6f1e323a6f39214ce89c9c16bf3850ce54a
-
Filesize
606KB
MD5c9f5b42a102a7eafc02edf2568b3e3fd
SHA1bf6dfeec9ffcb1bc3f58c8883a8696d2957b775f
SHA256668d3279064a9e63609e246178723857cedd0a415fa857f7b942f654844f19ec
SHA512b9406c0a465d16ecbe31031e55de7c80eb06c2d4c78d418c177a33149e68afc0ad065c300c757dfe50c059436acbd9e07bd8084a5a670cf63fac489fd7bfda69
-
Filesize
92KB
MD508161ddde528f68cc653aa3d579f95d2
SHA18227a3a53483b2f339a963bc09ffb0d516117131
SHA2569981cd2517944a114d7d5a1d71f9e93821218f665c86bc41eee5ba3c74a63c58
SHA512479909dee6671befb7dc1e7007f6ff4c400aa5dbea51f61ea337c726e2f17c7ee57258d9d23c530e19f6b503d861238e6c3314ac97b8e3e922d0b23ff2428f3e
-
Filesize
19.9MB
MD5c214fca229d065b799ae552901fe3f59
SHA13b271438996a35955602fe60b1b06a026ac124b6
SHA256ce896f9cc54072750b52e7b5a13e740c6d3684750281492186f4e2f991c09b2d
SHA512ec5ecc9a36ce3a0aa821d26a0881195895cb3b54a6b210bf707092f339174b4d39d38bb5c2250b4e3ea4ce9fc7bcf360c3131336d8e7130e6430b0e6b94daf1c
-
Filesize
381KB
MD5e1257277b5edcf9a2b0a62c3b8567394
SHA1abc161103edc11b622f4cd0f89fc29ed04cf7b3b
SHA256e69353fb3c8a69c851b55681797a55d098a016783cf89ef22f77d8a299d82485
SHA512354cf935f2c0014c7506b9e4fdbf195848614af88fd3d6ffe30d33e4557769db5f46f717d42b44d3900b7670293f4896a0e83eed62173bcb68ff3ee743c61264
-
Filesize
252KB
MD598a47a067a396d52c8f33cd82d1df5e4
SHA12c8e3743283615f6f54afd60806f5476d3e52f06
SHA256cc6e0f9ea16b535ab144868ca0b0b0d41a4953326a3b2bb3bb68a263bb3da83c
SHA512380b32900159deb9a3caad5522414a8d77613fe4b832a63717809efaba65606a4526a4e5e32309c2168e22ce231b1294ee8cb95e633f60f3733f642510ea1f15