b3d7d84fdb577210c31c658c11419abc206c88cc3f59e2f3409971097c41ac18

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6404f89198b1eee93328f062293ac98d.exe
Size

233KB
MD5

6404f89198b1eee93328f062293ac98d
SHA1

34fd70acf947419f77248798908887959f9c32e0
SHA256

b3d7d84fdb577210c31c658c11419abc206c88cc3f59e2f3409971097c41ac18
SHA512

ce76ee3191367bb499f1d73a8a19f0a6907bc7e567ba01b42de70c260a52724ea6ad2d2e6332600d27f962979c96b7b6bf39541a21f228f2c3dc62aab3225181
SSDEEP

6144:P+fAz16PHyf+TyBFHOCV1rmoOB/9wiX+BoRfK78S:P+Iz16fjoFHHrPiXrRI8S

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	\??\c:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini	6404f89198b1eee93328f062293ac98d.exe
File created	\??\c:\Program Files\desktop.ini	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\desktop.ini	6404f89198b1eee93328f062293ac98d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\7-Zip\Lang\nb.txt	6404f89198b1eee93328f062293ac98d.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.UnmanagedMemoryStream.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\kaa.txt	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\msado20.tlb	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.NonGeneric.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationCore.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Aero.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.Design.resources.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\lib\jconsole.jar	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\VGX\VGX.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-math-l1-1-0.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Globalization.Extensions.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Thread.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.Win32.SystemEvents.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\UIAutomationProvider.resources.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Controls.Ribbon.resources.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.SecureString.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Console.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsFormsIntegration.resources.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\WindowsBase.resources.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h	6404f89198b1eee93328f062293ac98d.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\msadrh15.dll	6404f89198b1eee93328f062293ac98d.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Encodings.Web.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Luna.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\ReachFramework.resources.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\sr-spl.txt	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\7-Zip\License.txt	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	6404f89198b1eee93328f062293ac98d.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationCore.resources.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\javaws.exe	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\mr.txt	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.RegularExpressions.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\DirectWriteForwarder.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\UIAutomationClientSideProviders.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Transactions.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\msvcp140.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\glib-lite.dll	6404f89198b1eee93328f062293ac98d.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Globalization.Extensions.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.ReaderWriter.dll	6404f89198b1eee93328f062293ac98d.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\WindowsBase.resources.dll	6404f89198b1eee93328f062293ac98d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3000	1280	WerFault.exe	88

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4436	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6404f89198b1eee93328f062293ac98d.exe
"C:\Users\Admin\AppData\Local\Temp\6404f89198b1eee93328f062293ac98d.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 988
  2⤵
  - Program crash
  PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1280 -ip 1280
1⤵
PID:3576

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
345KB

MD5
d55a14af4ec34e900872515121085954

SHA1
c70223e39cd271c0b61fe944ecb4989b4001878e

SHA256
04da054b37ed26075733f88cf92f0c08f259780a1402a85f2c10f0151bf74530

SHA512
7ab44eaee8e1aaf62ff1f45662f474571c441831ada0b74cae2408afbdf368cbae19d1ac020f21a372e5c8f590feb994df9a60db58caf453a81d8ca8b7e51523

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar

Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit
memory/1280-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1280-2287-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4436-2304-0x0000020D0DD70000-0x0000020D0DD80000-memory.dmp

Filesize
64KB

Download
memory/4436-2288-0x0000020D0DC70000-0x0000020D0DC80000-memory.dmp

Filesize
64KB

Download
memory/4436-2320-0x0000020D160E0000-0x0000020D160E1000-memory.dmp

Filesize
4KB

Download
memory/4436-2322-0x0000020D16110000-0x0000020D16111000-memory.dmp

Filesize
4KB

Download
memory/4436-2323-0x0000020D16110000-0x0000020D16111000-memory.dmp

Filesize
4KB

Download
memory/4436-2324-0x0000020D16220000-0x0000020D16221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads