Overview

overview

8

Static

static

3

581a98416e...da.exe

windows7-x64

8

581a98416e...da.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    159s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    581a98416ef59c1897c80375ac7cc5da.exe

  • Size

    668KB

  • MD5

    581a98416ef59c1897c80375ac7cc5da

  • SHA1

    572c9b667bcb7afadff147e0010630b213cbfa66

  • SHA256

    ebb710170635554d4b9ce77873ff341916db87a41f5981830b323c69c2afb736

  • SHA512

    d5b37eeb95827b2701f15793785f3283ce700ed995e55e9dce4852ff73e0920622e70dd952ab9fad6d8882b1acdecc40a50a65c5503b6be7640f6c75d421dd1a

  • SSDEEP

    12288:FeBNUbTVO86UyIR4YhoCHQtXR7/qt1Mp5O/AbSxDefR66jUKCQiMPj:FJIUyGzhowQL7CYgAbWCUKCQimj

Score
8/10
discoveryevasiontrojan

Malware Config

Signatures

  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 44 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\581a98416ef59c1897c80375ac7cc5da.exe
    "C:\Users\Admin\AppData\Local\Temp\581a98416ef59c1897c80375ac7cc5da.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3668
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:4940
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:4552
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:3660
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4420
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3456
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:4056
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:2852
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3184

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      170KB

      MD5

      d02af8c66ac34170bb63fd284c72db52

      SHA1

      399b2af0f5720e7275af8a8b14e29ed20587ee87

      SHA256

      580a149df296fb9d1fbc30ea33141ac140008fd09c617ea4dadf71a4df681d53

      SHA512

      23afc0265df130751a03b36715d922fca84d1145e843518cd2b245dae8a851ce62a89541991ab6a7b880d6276c6686b1126e3a992e2b3b11ac8abe30b1cad855

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      367KB

      MD5

      16e84cfcff8d47e944e022ca1f3d22cd

      SHA1

      c308f5341cc78d903093f13c236b877cb56aa791

      SHA256

      8f94c23ba5c93979fad10a0deb5955bb0255c8cdec33febdfb757d62944b824b

      SHA512

      545f6f99d490f2387cb6dcf3864bf21e2445d2fa3cc22cb1b835b66c19a2727699dce7f056b1d698333b7e25812bdbdfcdf1a9c7974ce9ca679bd91d6905689d

      Download Submit

    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      Filesize

      12KB

      MD5

      e04a1fac943d1d1451360bcf59caf9d8

      SHA1

      7c3baa67704351c00980d9a9a736be28118099b5

      SHA256

      c07112a18205bbd8a3acc1f5defbb49d7e503b4803ab413e53e84a1bfeea3517

      SHA512

      eaaa2ca2dd765520ec35d63ec20f60187b20fc7845384bf39555db155e956c8f47fb3f72828089396c8a3b299cfd4c3107acb474b5e49b48771031ca4f4a9fbe

      Download Submit

    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\fadjidqc.tmp
      Filesize

      2.0MB

      MD5

      964fb26966c379d0d77f790662b9040e

      SHA1

      b29b23a518c8602079d6f71686f39dfbe8e98927

      SHA256

      9706626143688c9cf5c036bfed4412660f1aeaa9b3171c7a4434afe222652ad9

      SHA512

      dc739e3ffd09c25b6f06f243202ba2f24cf94cbfb82a8ee65aa8b97ae9a07a003ff1fb544fb7a08d7f2f03778cdc2039880a83f967afa646fc9bcd96b6389c3d

      Download Submit

    • C:\Users\Admin\AppData\Local\biecdkmb\qkkjmiig.tmp
      Filesize

      678KB

      MD5

      957a03ace3469a5131b32ecfbb861cde

      SHA1

      0872a6fa6a183d1f955e8b69b0be099afa72f38d

      SHA256

      dc2df07a43f6f51ca88325e5919c28a25ce2b346850a550ab9550e71b7d1f5f7

      SHA512

      da15e3b713ed65bc0535a0b698d5c1a1fd5795eb0989ab1f0289c55eafb2743b9635252fa3b1cd5c5092afeb09e4d4db7701a1d0d4ccd8fd81b8cf4363421e09

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      483KB

      MD5

      66ffb2ac37537cd9460dd5c6b98d14b7

      SHA1

      3c13e2984aeb7388059d8f1004f7af0e51bf87b5

      SHA256

      1001ddd6f7eef54fa11205757772dae7833bb6e4dfb6341aeb284abe712312ab

      SHA512

      60f3b4c9eb8ce9749811829d04fb12bc04f848195ae7cd2aae727148bc11097c4093bd589db1885bd64a27c947e33f45f0fdef9a62b3fd5e0d4104b449155813

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      d990be091746faaf1cba51c09b4f2616

      SHA1

      2cab41775591d253a4f65cae4df7f0ac9fb5f324

      SHA256

      cc142cafe04311203f30431c9a7d29287bdad24527525feaeb53de851fde95ef

      SHA512

      b7a1cd3855ba9e25abcf218caacca0a65996ad9811db1fad8231b4fd0f49ab45395a869bfaf12137b79f3de71528add4955c6c55d1394ac0cbb7e301c123b80d

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      485KB

      MD5

      85e353de7ccb3b81268095bd60a6c0c8

      SHA1

      f42b1bf9eac140c725eed8fe4276126421905674

      SHA256

      92f043aeec514deaa0f123513947615d46212f8d4a4c1180032264594d05e002

      SHA512

      ac21cdd8901a118341d76f40c2a21d5d2204aaefe98554cae43b785824fc4c1db9e3551f3e53aea1925088d00a49a36a49a6f006a9e1fe7debde51b7d09eab3b

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      536KB

      MD5

      c0bb8fe91787545d764590ebc4b0a972

      SHA1

      9f49dd3ee55496b936d4ab845975aa2f8493281d

      SHA256

      29f604d63d3ed7854ab72d2d7166120dcf196c3192f20bd625ee27d728d21548

      SHA512

      9dc3bf0576ede3baf7f58a002dc9031d506fa6b37d8fbd12f4bf379185db2cd95c14d5e36a70dc9add68b8563bf059c2eb1bfc4153b8a882ad682399460a03b2

      Download Submit

    • C:\Windows\system32\msiexec.exe
      Filesize

      459KB

      MD5

      3de376ce329d7a672f8d2250b4261e20

      SHA1

      e38fd060c91641b32bab287f4ad22694547eb731

      SHA256

      daf3699af983e2a25d711d9dbaca48ef04956109de205f41e99be15f18dc5a24

      SHA512

      8891f26a563738a64483589e7066020797b4cd66555f3f86b5794a366c1adf56384a87fed13824d0f9665b7b4b92b3a170bdc3ed33b8813973c5c1f3e314cb8e

      Download Submit

    • \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      973b288ccf24b58aabc0dc4457dcfe85

      SHA1

      92d49101c2bc99f5edb6e213819616b4337a69e2

      SHA256

      736d7b57e2576e21da12d2a705cc867bebbdaef9742c693be58d163435befff4

      SHA512

      c28fc28b8567e350e79bb08b3ac7982167cd86578c24f5df8015a2f3fe6b9dc53a1660495889cb6c58fde54041151ee81478590984a78f7fa2d378446a68a971

      Download Submit

    • \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe
      Filesize

      609KB

      MD5

      8c9299b03e9bc26d9b3aefab559b9640

      SHA1

      7e897481a672acff83f6c5d3ee4b1c72918195f9

      SHA256

      1fa1552979bd7464d88ee66b0ccfb3f0e25a006c737a1c2c17ae11a1bd53fd5f

      SHA512

      ad583c37f0d1533d13e5cd44730dd03ac06d513cf9c42b6b5694eb9a35e0bbf52ef594c82b77699a5195aaf00efb01f3049c0ce3dc7a3cd0cf3aae0e6a0df9b4

      Download Submit

    • \??\c:\program files\common files\microsoft shared\source engine\ose.exe
      Filesize

      633KB

      MD5

      eb1f140dec7ebf3f25433d3d3f2fb4c4

      SHA1

      38b45a7ecf5bc30c03d2a69835103e0a884bd721

      SHA256

      1099cc890ec37c9c28af50b8f36310014133dc2866e9499ab37bcd805a605ba3

      SHA512

      c03c63fd66175b1527b47010667b3b38bec57caf05079d8e5e1c1711a1493edf1f030efc2fe1788a6116ebce64bc1108baf4fa6dc0fcc5578a38e6044da68663

      Download Submit

    • \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe
      Filesize

      869KB

      MD5

      6696976ea1e68c04f83346f2ced64984

      SHA1

      fc53e57aa060ac503a25e885a019a08d3dc1ddc4

      SHA256

      8af656ce18a0d106565a40b70d7457fae7e5defca2ef074b5a3c935a7a1b59ae

      SHA512

      9ea71548b8a3bb98eefcf772cb30a58ac5c1f3c73ac283a45876c2ef1a15075267866381813f8c6c7169b26e415360c5a6a78ce013e3fdb599367340b88e3e94

      Download Submit

    • memory/2824-55-0x00007FF753C60000-0x00007FF753E20000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2824-57-0x00007FF753C60000-0x00007FF753E20000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2852-77-0x00007FF7FCAD0000-0x00007FF7FCC13000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3184-93-0x00007FF6C6C80000-0x00007FF6C6DAF000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3668-0-0x00007FF6C7680000-0x00007FF6C777F000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/3668-11-0x00007FF6C7680000-0x00007FF6C777F000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/3668-2-0x00007FF6C7680000-0x00007FF6C777F000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/4056-70-0x00007FF753340000-0x00007FF753495000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4552-65-0x00007FF75C970000-0x00007FF75CAA3000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4552-37-0x00007FF75C970000-0x00007FF75CAA3000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4940-49-0x00007FF75D010000-0x00007FF75D144000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4940-19-0x00007FF75D010000-0x00007FF75D144000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4940-18-0x00007FF75D010000-0x00007FF75D144000-memory.dmp

      Filesize

      1.2MB

      Download