8ed3425a9032e3bf6af2f8f99812aecb98266d7946d04c9e14c2065c175171a6

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15/01/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c0dd9bdca98af3d296496f07a3d8cd5.exe
Size

606KB
MD5

5c0dd9bdca98af3d296496f07a3d8cd5
SHA1

4c1967fbd36d4b6f85965d418ef331713ed8c126
SHA256

8ed3425a9032e3bf6af2f8f99812aecb98266d7946d04c9e14c2065c175171a6
SHA512

7851bbe09cdb174575e63e3e97cc4fecbfaa85fc5ef667979d7fa785684ec1decf3cb3614e2ae2527a3f0410f919daba368a8db89a80eeb2c45cb0fddd06ecfd
SSDEEP

12288:8aOuKf6/agO+Xuc6G1ZRqLFuVOohOMDXasrXCckE3G:8ag5+Xj1nqcLDXa2CvEW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1280	svchost.exe
3312	5c0dd9bdca98af3d296496f07a3d8cd5.exe
5060	svchost.exe
4956	update.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	5c0dd9bdca98af3d296496f07a3d8cd5.exe
File opened for modification	C:\Windows\KB835221.log	update.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	4956	update.exe
Token: SeRestorePrivilege	4956	update.exe
Token: SeShutdownPrivilege	4956	update.exe
Token: SeSecurityPrivilege	4956	update.exe
Token: SeTakeOwnershipPrivilege	4956	update.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1280	4620	5c0dd9bdca98af3d296496f07a3d8cd5.exe	86
PID 4620 wrote to memory of 1280	4620	5c0dd9bdca98af3d296496f07a3d8cd5.exe	86
PID 4620 wrote to memory of 1280	4620	5c0dd9bdca98af3d296496f07a3d8cd5.exe	86
PID 1280 wrote to memory of 3312	1280	svchost.exe	89
PID 1280 wrote to memory of 3312	1280	svchost.exe	89
PID 1280 wrote to memory of 3312	1280	svchost.exe	89
PID 3312 wrote to memory of 4956	3312	5c0dd9bdca98af3d296496f07a3d8cd5.exe	92
PID 3312 wrote to memory of 4956	3312	5c0dd9bdca98af3d296496f07a3d8cd5.exe	92
PID 3312 wrote to memory of 4956	3312	5c0dd9bdca98af3d296496f07a3d8cd5.exe	92

C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe
"C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe
    "C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - \??\c:\a6b349ebddab1e316c392d548ed70c\update\update.exe
      c:\a6b349ebddab1e316c392d548ed70c\update\update.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:4956

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe

Filesize
544KB

MD5
dd723698f56877704ba8184f36548293

SHA1
3fe89f986063f8ff23c1895f086e5769ac48a12f

SHA256
c99a8a682a36307ce727a4bd77a708033791774f28c89136d9f3abeff9632957

SHA512
b674c240ab2aec233d76a8ea62435ebbb9f8386b5ee85fc1213d770a6880c607952b7d4d7874ca1c14542740a5d1ea50c80094b6ae3a6fac05e52c85ccec9eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe

Filesize
571KB

MD5
77e0acbf3c2898956b4b3172d2d8e1d8

SHA1
d89f773b5cad5ffaf41bb1975451e0eebe800d50

SHA256
e3b51ebf4b5fe29c9b1d99c53f2724ff50c41841152ead93beabf1ec494a865d

SHA512
e41633927ee3ad242cd24456f49c2af4210dfb7da61c3a64d552c66b6643c41a75af0edbe8ad8fde208db32e0cd85a0b4671c45045d6fa8c24af7dac449a968f

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\a6b349ebddab1e316c392d548ed70c\update\update.exe

Filesize
615KB

MD5
59bb3bf43d1cbef1287186d5a00e04a5

SHA1
f09950a598e19210e9c1a9cb6b04a4462e286db0

SHA256
df2ca8e25498ce9d36da642168e44333ceae620029db4c93b4a30021988ac7bd

SHA512
b6fffb4245c4f43b2578ff65e43691a572644af4c1740f59b53ee85bcd3477b18b7c951d558c46c3fb5161e1a21b49efc48eff5e7e69d33d3296a276b5b99f04

Download Submit
\??\c:\a6b349ebddab1e316c392d548ed70c\Update\HDAUpdate_Srv2k3.inf

Filesize
6KB

MD5
f63ea3dc2d0b3caa958ec933e29dcaab

SHA1
37673e1944ca3d088fc66deca93eaf7fdbe31c8f

SHA256
11ea895544bc0917865b3e84de69bdcb353fc80eeed0de7588feb71ada6f7bdd

SHA512
0ad1601f7c69cf73cc09d5a3aeb64ecfd164295a94e655ee6df1bbcf56a7076b79790d9346522b2d4ace720bd17cfa5beffb8a53dc71d0467c3d67a368d98c0b

Download Submit
\??\c:\a6b349ebddab1e316c392d548ed70c\update\update.exe

Filesize
544KB

MD5
6c5b2ee20e8c9bae26d30595056d0bd7

SHA1
f0b514c9beb3fb94b8928dae1b9b7f8e59b40fef

SHA256
2be6c9398e33d9a0ce4d1da9f3437d5ef4f71515bbb21a2a3c8ab075ad886f8d

SHA512
084eea524e393761114fa811a08b2d440eef0b1882312c3891dcd3abc5c35844db457be02ff5ae9cb1d8b4ded0096d31ea72befbc198e11b03d93e5bc695874a

Download Submit
\??\c:\a6b349ebddab1e316c392d548ed70c\update\updatebr.inf

Filesize
387B

MD5
05ffc8f5b730218b7348db3c5ea6e8ed

SHA1
96383215f5d7688e20e3e996015d0b87c962595c

SHA256
fb35807db481a00babb273cf723e595ec2cd1ffb4f8f182d00bf973269d8e724

SHA512
1093e07b4281d1c17ba239bb06abbe3b11513f9066bb37909d850fdf775b85be178ea14a6a622d42afb6fe3307e7862c4a3dd7a37249e491a14c44b283c30b1a

Download Submit
memory/1280-11-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5060-57-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download