95acc4d1a274dd2edf1755278413d6d9e5e6485ade610a571c772e98c0fd30a1

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-es
resource tags

arch:x64arch:x86image:win10v2004-20231222-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
12/01/2024, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DISTRAINT.v06.12.16-PiviGames.blog/distraint.exe
Size

41.9MB
MD5

2459e86fffde857954f486ea57143300
SHA1

e957ca43fac6c62ec64d5c38cca599db8c0792db
SHA256

750685c3c82567fcfc2e73c9acc7905f437a24bb7a8a65ef4818ff59e1941e5e
SHA512

9761478ab5e99199c362231ef7a1645130408d826d7a4b3186b5102dc13f32c1d376d35fe87fb37131cb18ee7ed56b502a5171f4b7e85496088be03676e269f3
SSDEEP

786432:nF4DXwTvNy6yVSs8caIZpgTmFxhSlI5hD1+bPpdv2T/ck9ZEwOVrkL6rDH6QVlgg:7y6yVXFgGxH/JMPpRY/ck/EwOVrkyrxz

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 16 IoCs

pid	Process
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe
1444	distraint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1444	distraint.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4624	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1444	distraint.exe

C:\Users\Admin\AppData\Local\Temp\DISTRAINT.v06.12.16-PiviGames.blog\distraint.exe
"C:\Users\Admin\AppData\Local\Temp\DISTRAINT.v06.12.16-PiviGames.blog\distraint.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x388 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\INI++15.mfx

Filesize
356KB

MD5
2fcaff20bddcb6ee8bc00ac4569069bb

SHA1
3ae2a9af4daa4891029863efa144f65e8bbe6585

SHA256
e0403f8daec5b06bf5e5d1f281dbe5bcda845ef8d398668a9115798d9cbed282

SHA512
679c76c97d8def71a2d7b8facef2cf1f288318542a615093d5de218ebd31543e951c6a830c285a7487d8fbcb3e9a561a9621b280dd47f9cca2cdffb045b419c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\INI++15.mfx

Filesize
320KB

MD5
fc8ba2934261d5f58938c114de2901d0

SHA1
df9bd785080e89c56bb88c45a7674a571772fa27

SHA256
079a06c902244b5d02dd02cf8dfe8cd7ac0de9c82f0e8f69cb0ac2c7f3a2be73

SHA512
a94e5e7314d1b02f1aeb9d6e09315ab55a68a3d8b755b2378a1b629b960036eae46db9a1103620f58c457e8e62121eacbe93fa656c6b2d3be0293f3656e774f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\KcArray.mfx

Filesize
32KB

MD5
454ced31d695ea4f83db1ff81ab5cce2

SHA1
a1d1d16f66d4ba77ffbb46c2c703135b6abbb68f

SHA256
16f507da7814a6105122cbc5a881ee558dafdcd0edc57dcdbce6798aa9dd68ec

SHA512
4f6b36cb7d26cc5623e1608cd061f71bef7c2b67061e6ed4bd55fe09e4971f8099be704ce58c0e5d80329a3396ab82c25502867e6d6a0451913a420279983d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\Layer.mfx

Filesize
121KB

MD5
4011f85fff8a854cdbc02c38b5e8e050

SHA1
6e586270b1dccaa8fe5609abbf83fe60cd9772c1

SHA256
dc282ade390ae5bb7249595adac896d2436cf0eea5c63f31e44122173dc96daf

SHA512
cea258db8270ef6b8e4388babdd4915c19e0d4c6ae2b8c947cdd29d8a90153786dc2765e8726585e9c08798727910c4e941b39c12a2981dd0d2efc688890d015

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\Steamworks.mfx

Filesize
328KB

MD5
a1e096295b2617f079ea7d02de943529

SHA1
da2c08bc136aed1ac807fe61d377bfea3cd862f7

SHA256
0c01bfa11e5371d5f812f551f0af32099e95785dd44a053506f56b9dd0713329

SHA512
9b8c8ddfd3bfb35214cabd219e148ff46ba7e9ef7448d9aad17954260f295b86a9109a88887ab830d9d1c8ee1b623d09f422ac6d1e9983ae68b7c213aa9a15e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\XBOXGamepad.mfx

Filesize
64KB

MD5
c6f91524b66d32793eca88417861fe35

SHA1
d467e589e458149a39818564b2a7f17e7a8513dd

SHA256
ff0a035267f3452268d947feb8434bdc160c7193d312ce5b5a469394c92e986a

SHA512
b471a42a437c834359573470343346364f5a11d407f2e6596b9399753670a9c06c3e0016e85e98cad739b1bc9e119e6040b50aae72aa9ea9866597a45fe1a3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\ctrlx.mfx

Filesize
44KB

MD5
ceb8b2e522d0aaaecdf69b3bcc89a530

SHA1
c1cf769a96a9612f7fd0c1965413f4a57e4907e1

SHA256
3407eb12f6bacec5ebd4df96ff3fd34741a3919fd46c2ec527364c5f1e753a65

SHA512
3c46743c635eb96351e6a82490cececb24e6a104433c962f263ec01cf78fa9747d4f56d05c3085c0a18eff7c180b145df5e8e74bc008fe2f617f7f4c24be0331

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\kcedit.mfx

Filesize
32KB

MD5
859c36a3cdd818677d07c4ddc333da02

SHA1
f7abebdac9ce18c894d76895f4d31d2152c7b83e

SHA256
f6debba56d335e9dd367a53f3caede7d76f3ccc5473bbbdaf629daf111a881d4

SHA512
70b2be459d711311c4c7a7bf64cbb30d573658b7e37e0f93a2efca88638164f73bc931138ed67bd008229c9d11038b74121d586826494d9f98bb8444a033c832

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\kcfile.mfx

Filesize
36KB

MD5
beef4558c23ca51176a3ec1465cff89d

SHA1
a8dda22b337ee4ff6f572603db69f0f6adb6f227

SHA256
daa25c6b2633009f655c0ea0503602ea220f9a5788e3ac7ca11c209be3246333

SHA512
4ce528b244b4e125e61e67094c8c8041a2450db2aba2f95bd6f4b503116439b9b8dbe462c1199fe42c3687432d4475a77bf0730b5cecf8578856ee5b0e112c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\kcini.mfx

Filesize
28KB

MD5
ef2cad7570f3d4cfb8dc7915a92e03af

SHA1
e75063b93d22a45c19b14e93a4030a267faaccab

SHA256
52cdd0d5265dbe45966a787d0082e01ada41553c898f02347840aded98d6332f

SHA512
34f202712b3ff0e9bc68c71108f8edd0d61a387a396bfc710af8da26f7d35c0505ba57bfa91ff524c7c43cdc05e09730ca3755e170f65850390fc0a65b8da630

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\kcwctrl.mfx

Filesize
61KB

MD5
0f0d7aa7c16138c69c5afcf0556e4fa5

SHA1
996db73f43c4359181916dc87e3e920989564590

SHA256
a02f1647c705602bf51077e2a5c1caf9fbcf8009dcbba4e3b9f25ea31e93b72c

SHA512
0b475e580ce2d945475045b49ee1e1894f26d9c35496b117aee6a67a583798b53804912081a7790b7d784343eb74e2002e5a97d55b0f712adbdcff5c377e24e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt46FC.tmp\mmfs2.dll

Filesize
460KB

MD5
61210630ca4877f7a0a548591113a573

SHA1
072d9f6d7354a8bd8b2b175fecaa631c7cfe2d47

SHA256
565cff6852d4b12ca1590dfa1ff681fa798654bda1ca32e3a944c504dd38c2f3

SHA512
5f3dbe6e11bd7944d90524feff6ec24f539fa23ea7108db3472886571bd20a45abe14096c38a75c5692b14444c7c25e569d59ef95428c85cf9e5c3cb52b849ed

Download Submit
memory/1444-43-0x00000000741A0000-0x0000000074E7F000-memory.dmp

Filesize
12.9MB

Download
memory/1444-42-0x00000000741A0000-0x0000000074E7F000-memory.dmp

Filesize
12.9MB

Download
memory/1444-39-0x0000000001480000-0x00000000014DA000-memory.dmp

Filesize
360KB

Download
memory/1444-52-0x0000000002F00000-0x0000000002F5D000-memory.dmp

Filesize
372KB

Download
memory/1444-60-0x0000000004020000-0x0000000004044000-memory.dmp

Filesize
144KB

Download
memory/1444-100-0x00000000741A0000-0x0000000074E7F000-memory.dmp

Filesize
12.9MB

Download