Analysis

  • max time kernel
    143s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 11:59

General

  • Target

    35571756db6a05c766ae0db158457790.exe

  • Size

    310KB

  • MD5

    35571756db6a05c766ae0db158457790

  • SHA1

    c8b8f083a1571cbfd0ddf07c2643771efc2a0584

  • SHA256

    06aa7af64996fbcdc485c56a41c2bcf169445bbc2d12a3674c943e15e66f61f1

  • SHA512

    0bd1f78a0875f390ff8ae1245285a4e046da3e38eb1b8a0807f81a9b2f624de37b638d7f90fbf17f5d0b69ad40121c1603ba2191b551926460499a21130ea3ce

  • SSDEEP

    6144:dxOf3vF/mc2G9bj9DoktMF0DWBkzoD/4FvLCQtprb7xJdxsZerHt:svFeVG9bZS0aizJvLC8prPxJdxO+

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe
    "C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
      "C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe
        "C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4348
    • C:\Program Files\Common Files\Microsoft Shared\services.exe
      "C:\Program Files\Common Files\Microsoft Shared\services.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4764
    • C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
      "C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:620
      • C:\Program Files\Common Files\Microsoft Shared\services.exe
        "C:\Program Files\Common Files\Microsoft Shared\services.exe"
        3⤵
        • Executes dropped EXE
        PID:4184
    • C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
      "C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1240

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

          Filesize

          893KB

          MD5

          313fedb748b07089fda25cdfdccf7e48

          SHA1

          62a0ed3d22f2573bee2366c16d5021d1f9948284

          SHA256

          388d77eef7650bbffc78ce91dc225c34e2170e9aff4e77e1d83414ac7220f227

          SHA512

          03e819805727890b234d0e8a3b6720bb7855f2af8cbc51b358ec6a99649ef358db78ede28f4643d78c4962d1ab2ef065c21ff63a0432b62dd5fb976add15536e

        • C:\Program Files\Common Files\Microsoft Shared\services.exe

          Filesize

          29.4MB

          MD5

          09f98253bf84311ae590f3d826bd21fe

          SHA1

          8ed5f8d5b66440839ac97e8bc04d17ada1087223

          SHA256

          cf29d7e361cfa52092826b893fac140365e628340b7cafa0e9f9df4104a72fa5

          SHA512

          9106087306e87a1d4eec281917586bd3cffeeb41b50cdfc1ec1e499950e457b4d07bc7fa0322011d576bd7784ccd9304364414bf47fe658f2021ef39d33f1d5f

        • C:\Program Files\Common Files\microsoft shared\A_v_AuTo.dll

          Filesize

          2.1MB

          MD5

          8df2f6666c334bc4ffd9f1805435ffe6

          SHA1

          56902be4a106d231fef4aa18172f38de8e5bd644

          SHA256

          96fa43a9472e69fa19dfdc52822d7113367cbfe6e5efade176bbf44b2c7e8721

          SHA512

          86b49ff8a4ed3440b7bf8235afadf7e940f7b5fe550f44b564cdf154caae49bb5f9699942a5411f5eb74c57bef13a6f1e323a6f39214ce89c9c16bf3850ce54a

        • C:\Program Files\Common Files\microsoft shared\A_v_DVD.dll

          Filesize

          606KB

          MD5

          c9f5b42a102a7eafc02edf2568b3e3fd

          SHA1

          bf6dfeec9ffcb1bc3f58c8883a8696d2957b775f

          SHA256

          668d3279064a9e63609e246178723857cedd0a415fa857f7b942f654844f19ec

          SHA512

          b9406c0a465d16ecbe31031e55de7c80eb06c2d4c78d418c177a33149e68afc0ad065c300c757dfe50c059436acbd9e07bd8084a5a670cf63fac489fd7bfda69

        • C:\Program Files\Common Files\microsoft shared\A_v_TT.dll

          Filesize

          92KB

          MD5

          08161ddde528f68cc653aa3d579f95d2

          SHA1

          8227a3a53483b2f339a963bc09ffb0d516117131

          SHA256

          9981cd2517944a114d7d5a1d71f9e93821218f665c86bc41eee5ba3c74a63c58

          SHA512

          479909dee6671befb7dc1e7007f6ff4c400aa5dbea51f61ea337c726e2f17c7ee57258d9d23c530e19f6b503d861238e6c3314ac97b8e3e922d0b23ff2428f3e

        • C:\Program Files\Common Files\microsoft shared\services.exe

          Filesize

          19.9MB

          MD5

          c214fca229d065b799ae552901fe3f59

          SHA1

          3b271438996a35955602fe60b1b06a026ac124b6

          SHA256

          ce896f9cc54072750b52e7b5a13e740c6d3684750281492186f4e2f991c09b2d

          SHA512

          ec5ecc9a36ce3a0aa821d26a0881195895cb3b54a6b210bf707092f339174b4d39d38bb5c2250b4e3ea4ce9fc7bcf360c3131336d8e7130e6430b0e6b94daf1c

        • C:\Program Files\Common Files\microsoft shared\services.exe

          Filesize

          381KB

          MD5

          e1257277b5edcf9a2b0a62c3b8567394

          SHA1

          abc161103edc11b622f4cd0f89fc29ed04cf7b3b

          SHA256

          e69353fb3c8a69c851b55681797a55d098a016783cf89ef22f77d8a299d82485

          SHA512

          354cf935f2c0014c7506b9e4fdbf195848614af88fd3d6ffe30d33e4557769db5f46f717d42b44d3900b7670293f4896a0e83eed62173bcb68ff3ee743c61264

        • C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe

          Filesize

          252KB

          MD5

          98a47a067a396d52c8f33cd82d1df5e4

          SHA1

          2c8e3743283615f6f54afd60806f5476d3e52f06

          SHA256

          cc6e0f9ea16b535ab144868ca0b0b0d41a4953326a3b2bb3bb68a263bb3da83c

          SHA512

          380b32900159deb9a3caad5522414a8d77613fe4b832a63717809efaba65606a4526a4e5e32309c2168e22ce231b1294ee8cb95e633f60f3733f642510ea1f15

        • memory/620-35-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/620-32-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/1240-46-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

        • memory/1240-44-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

        • memory/1240-50-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

        • memory/1612-20-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

        • memory/1612-9-0x00000000001C0000-0x00000000001C2000-memory.dmp

          Filesize

          8KB

        • memory/1612-7-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

        • memory/4348-14-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB