c29081401e06988f07c143b0ce73990e21222e9b847faffd9c48f431a03bb9d0

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/01/2024, 10:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6d063a2768053694eb3ca3c449f2c39e.exe
Size

803KB
MD5

6d063a2768053694eb3ca3c449f2c39e
SHA1

6ec3c9ef4252cdf0dac4df6f35d3831723c6b17b
SHA256

c29081401e06988f07c143b0ce73990e21222e9b847faffd9c48f431a03bb9d0
SHA512

5c6a6638c9929157ad03525b38a95ac3e7c2bea3c6c25de07eb4b9322def1482ba233999a706a4cd285d26d948108d1b8f96c2939ef9163fb25895999ddd44e1
SSDEEP

24576:Q/CczGjGj0khrcMzXZuhTTxZPxMp9VUpx4h:Q/CAkGj0kJB8RfEQ/

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svg.lnk	6d063a2768053694eb3ca3c449f2c39e.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	TurboHUD.exe

Loads dropped DLL 7 IoCs

pid	Process
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2052 set thread context of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2760	2796	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2052	6d063a2768053694eb3ca3c449f2c39e.exe
2508	RegAsm.exe
2508	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	6d063a2768053694eb3ca3c449f2c39e.exe
Token: SeDebugPrivilege	2508	RegAsm.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2796	2052	6d063a2768053694eb3ca3c449f2c39e.exe	29
PID 2052 wrote to memory of 2796	2052	6d063a2768053694eb3ca3c449f2c39e.exe	29
PID 2052 wrote to memory of 2796	2052	6d063a2768053694eb3ca3c449f2c39e.exe	29
PID 2052 wrote to memory of 2796	2052	6d063a2768053694eb3ca3c449f2c39e.exe	29
PID 2052 wrote to memory of 2976	2052	6d063a2768053694eb3ca3c449f2c39e.exe	30
PID 2052 wrote to memory of 2976	2052	6d063a2768053694eb3ca3c449f2c39e.exe	30
PID 2052 wrote to memory of 2976	2052	6d063a2768053694eb3ca3c449f2c39e.exe	30
PID 2052 wrote to memory of 2976	2052	6d063a2768053694eb3ca3c449f2c39e.exe	30
PID 2052 wrote to memory of 2724	2052	6d063a2768053694eb3ca3c449f2c39e.exe	31
PID 2052 wrote to memory of 2724	2052	6d063a2768053694eb3ca3c449f2c39e.exe	31
PID 2052 wrote to memory of 2724	2052	6d063a2768053694eb3ca3c449f2c39e.exe	31
PID 2052 wrote to memory of 2724	2052	6d063a2768053694eb3ca3c449f2c39e.exe	31
PID 2052 wrote to memory of 2716	2052	6d063a2768053694eb3ca3c449f2c39e.exe	32
PID 2052 wrote to memory of 2716	2052	6d063a2768053694eb3ca3c449f2c39e.exe	32
PID 2052 wrote to memory of 2716	2052	6d063a2768053694eb3ca3c449f2c39e.exe	32
PID 2052 wrote to memory of 2716	2052	6d063a2768053694eb3ca3c449f2c39e.exe	32
PID 2052 wrote to memory of 2968	2052	6d063a2768053694eb3ca3c449f2c39e.exe	34
PID 2052 wrote to memory of 2968	2052	6d063a2768053694eb3ca3c449f2c39e.exe	34
PID 2052 wrote to memory of 2968	2052	6d063a2768053694eb3ca3c449f2c39e.exe	34
PID 2052 wrote to memory of 2968	2052	6d063a2768053694eb3ca3c449f2c39e.exe	34
PID 2052 wrote to memory of 2848	2052	6d063a2768053694eb3ca3c449f2c39e.exe	33
PID 2052 wrote to memory of 2848	2052	6d063a2768053694eb3ca3c449f2c39e.exe	33
PID 2052 wrote to memory of 2848	2052	6d063a2768053694eb3ca3c449f2c39e.exe	33
PID 2052 wrote to memory of 2848	2052	6d063a2768053694eb3ca3c449f2c39e.exe	33
PID 2796 wrote to memory of 2760	2796	TurboHUD.exe	36
PID 2796 wrote to memory of 2760	2796	TurboHUD.exe	36
PID 2796 wrote to memory of 2760	2796	TurboHUD.exe	36
PID 2796 wrote to memory of 2760	2796	TurboHUD.exe	36
PID 2052 wrote to memory of 2836	2052	6d063a2768053694eb3ca3c449f2c39e.exe	35
PID 2052 wrote to memory of 2836	2052	6d063a2768053694eb3ca3c449f2c39e.exe	35
PID 2052 wrote to memory of 2836	2052	6d063a2768053694eb3ca3c449f2c39e.exe	35
PID 2052 wrote to memory of 2836	2052	6d063a2768053694eb3ca3c449f2c39e.exe	35
PID 2052 wrote to memory of 2836	2052	6d063a2768053694eb3ca3c449f2c39e.exe	35
PID 2052 wrote to memory of 2836	2052	6d063a2768053694eb3ca3c449f2c39e.exe	35
PID 2052 wrote to memory of 2836	2052	6d063a2768053694eb3ca3c449f2c39e.exe	35
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37
PID 2052 wrote to memory of 2508	2052	6d063a2768053694eb3ca3c449f2c39e.exe	37

C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe
"C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Roaming\TurboHUD.exe
  "C:\Users\Admin\AppData\Roaming\TurboHUD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 576
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2760
- C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe
  "C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
  2⤵
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe
  "C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
  2⤵
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe
  "C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe
  "C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
  2⤵
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe
  "C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" 2052 "C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" 2052 "C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Svg\Svg.exe

Filesize
512KB

MD5
c4261c9c5f76428fbc5e3c0cf12a8e41

SHA1
47f4962b3f7c5b059d415aec7303039ff8a0cd44

SHA256
3270fdff08b387ae50d5c5fc984702c007a611174346c6396451d4b9ffcaf00c

SHA512
f08867f439917919d991cb41c77c9643b8e930fc27ce7d84cd3ad537e86976828ebf0af747b342e65d41a9caf47b7f745e644a91b8082a34596b1cfb29feef7b

Download Submit
\Users\Admin\AppData\Roaming\TurboHUD.exe

Filesize
61KB

MD5
da015b44aafe0d0c7e4849fd5ea7139c

SHA1
92a525335fde055a5430a068819087011ae3b814

SHA256
322e17690678c51d7240d0a18866a593a76390eb0e4432e262e863c955a63ed5

SHA512
a77bb2431d8b1a3bfb2821374a807e40ce3c2deb8ba88dc2cd7f117dd7b37ca92179438aad3483fd826a9d21b358268caeff1b689b3a5aae18fc6e494f08ecab

Download Submit
memory/2052-0-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-1-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-2-0x00000000020C0000-0x0000000002100000-memory.dmp

Filesize
256KB

Download
memory/2052-41-0x00000000020C0000-0x0000000002100000-memory.dmp

Filesize
256KB

Download
memory/2052-40-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2508-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-44-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2508-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2508-39-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-13-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2796-12-0x0000000071CA0000-0x000000007238E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-11-0x0000000000300000-0x0000000000318000-memory.dmp

Filesize
96KB

Download
memory/2796-42-0x0000000071CA0000-0x000000007238E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-43-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/2796-14-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download