498fb2c8c874e3d63168021abb6c4b0caa23dd3df704bc27d175d2da59018432

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ff9010618c92ebd5425684b26b7dff4.exe
Size

577KB
MD5

6ff9010618c92ebd5425684b26b7dff4
SHA1

afcca43e44da1065f738ad426f65678a8aedf1fd
SHA256

498fb2c8c874e3d63168021abb6c4b0caa23dd3df704bc27d175d2da59018432
SHA512

94bbf4bc58ca22c2cb847d40b0b3d1d0008a6e7920ca70b829388d36707e81a6df16a3f9c1b1872a5dfc70a93496343715af8efb4346f5aaf979bc465105e0dd
SSDEEP

12288:hau9M494jXi1em6M71qHfgudE0SXeqLfJrjGp0c2qrptpyxr9A4dB:hawMDYJzKO759c2qVOB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1140	svchost.exe
3752	6ff9010618c92ebd5425684b26b7dff4.exe
1672	svchost.exe
4360	smashing.exe

Loads dropped DLL 4 IoCs

pid	Process
3752	6ff9010618c92ebd5425684b26b7dff4.exe
3752	6ff9010618c92ebd5425684b26b7dff4.exe
4360	smashing.exe
4360	smashing.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	6ff9010618c92ebd5425684b26b7dff4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	412	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	412	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3752	6ff9010618c92ebd5425684b26b7dff4.exe
3752	6ff9010618c92ebd5425684b26b7dff4.exe
3752	6ff9010618c92ebd5425684b26b7dff4.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 1140	2832	6ff9010618c92ebd5425684b26b7dff4.exe	86
PID 2832 wrote to memory of 1140	2832	6ff9010618c92ebd5425684b26b7dff4.exe	86
PID 2832 wrote to memory of 1140	2832	6ff9010618c92ebd5425684b26b7dff4.exe	86
PID 1140 wrote to memory of 3752	1140	svchost.exe	87
PID 1140 wrote to memory of 3752	1140	svchost.exe	87
PID 1140 wrote to memory of 3752	1140	svchost.exe	87
PID 3752 wrote to memory of 4360	3752	6ff9010618c92ebd5425684b26b7dff4.exe	89
PID 3752 wrote to memory of 4360	3752	6ff9010618c92ebd5425684b26b7dff4.exe	89
PID 3752 wrote to memory of 4360	3752	6ff9010618c92ebd5425684b26b7dff4.exe	89

C:\Users\Admin\AppData\Local\Temp\6ff9010618c92ebd5425684b26b7dff4.exe
"C:\Users\Admin\AppData\Local\Temp\6ff9010618c92ebd5425684b26b7dff4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\6ff9010618c92ebd5425684b26b7dff4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\6ff9010618c92ebd5425684b26b7dff4.exe
    "C:\Users\Admin\AppData\Local\Temp\6ff9010618c92ebd5425684b26b7dff4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\smashing.exe
      "C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\smashing.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4360

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1672

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0 0x398
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ff9010618c92ebd5425684b26b7dff4.exe

Filesize
541KB

MD5
1320f7fbd7445928deb146c52a59f242

SHA1
b939fcc9aed3881336f42924f407d85879b37ed0

SHA256
754a120387e79dd7cababa1e44749ca1742b6cb8ab446481f5ac4782f11ed94f

SHA512
75901e410ff6a5d33a67fcafdca1c4000e3f6348fa47f6b2a019c103a10a633ee1b25de03a8859f6b37910be6b2b6e25b2a0c5361f9fd7611cc902c31a2f7132

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\jesterrun0.dll

Filesize
22KB

MD5
3c090bac965ee3543728d16b87a4d29f

SHA1
859fbb59a7d8468100d20fd120a100d555651438

SHA256
e54391a41a9a2807f1f5117a5e2947e9bc2875ae91fa2ac8868d26a3208d7d39

SHA512
de351362ee253d63a4eea0f66cb5172bd219c51774e58186add730e6f752b94a7ae0ef4bafc22aa260532410a75bc9c01d7355c3d707168683f3e925d68a2dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\smashing.exe

Filesize
761KB

MD5
a1116fe87bb624aa01397c2df435cafc

SHA1
245d4ee66b52b520d335938d25a505f46a330379

SHA256
aa1694d15ec9434959fb78d81c96f5e4ef6c409dc24c8e59ecf22bd44295857b

SHA512
a55e03803322579337079aea7e6c7734ecb31c2c283aec1729d17ce790655fd23052002687a1bc85d5c35f6b052b44ab54fdabf68fcda601505078575ac88f5b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
345861f739ef259c33abc7ef49b81694

SHA1
3b6aff327d91e66a207c0557eac6ddefab104598

SHA256
fc3220611aded768e37b125c4e4d5a8ffdbf7dfa8d8c19c07c7791b486457948

SHA512
7b0aae948a594f29125a3e80f6c2b51421cda07f5ee4554538037f12b87d4b3937ee74fb400505efcd2a953c897a49d79d875148516dcef619c514251854dfad

Download Submit
memory/1140-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1672-34-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1672-46-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1672-58-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2832-3-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3752-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3752-33-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/4360-35-0x0000000002080000-0x0000000002090000-memory.dmp

Filesize
64KB

Download