Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 15:43
Static task
static1
Behavioral task
behavioral1
Sample
28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696.exe
Resource
win7-20231215-en
General
-
Target
28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696.exe
-
Size
1.6MB
-
MD5
e26a57dc48f2ac48102f783fa152c49f
-
SHA1
cc22c45017ea1e4c15472f751ee2f1df03eabb6d
-
SHA256
28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696
-
SHA512
e57ae9c4efb6175294e55f52d01f8a291dffe8fe8cb2b76af2598dbb6b71068fe88f4a128b5314f6fd4867bcefc0d8d018c20fb73edce3fd97c99d13cb9bbd99
-
SSDEEP
49152:/e4skx6HWygF+1Z1OZrPnOOgMq6jfsLO:/e4F0HWygS1iUMq6sC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
alg.exepid process 748 alg.exe -
Drops file in System32 directory 1 IoCs
Processes:
28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696.exepid process 1504 28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696.exe 1504 28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696.exedescription pid process Token: SeTakeOwnershipPrivilege 1504 28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696.exe"C:\Users\Admin\AppData\Local\Temp\28866aeeee3377081ac0b841779e92c749357fa06cf842946c54432544cf0696.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:748
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\alg.exeFilesize
1.3MB
MD58f2bdb0c323411d888858413e02c554c
SHA17066f9bf49459569fe1a1df218edc438e208d196
SHA2568cfc772b91efd814a16c864debf36dbcd9b0dc90077df7693f94e2e203c9fbe1
SHA512f43fb34c9e7ba0d235bf0a7277905a2f13e1385e5bcb451bc596f2959e22014abcbbc0b33235371f70171b5f5daefc90b25f9406281d99d02b03a578a7681d8f
-
memory/748-13-0x0000000140000000-0x00000001401E9000-memory.dmpFilesize
1.9MB
-
memory/748-16-0x0000000140000000-0x00000001401E9000-memory.dmpFilesize
1.9MB
-
memory/1504-0-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/1504-1-0x0000000000670000-0x00000000006D7000-memory.dmpFilesize
412KB
-
memory/1504-6-0x0000000000670000-0x00000000006D7000-memory.dmpFilesize
412KB
-
memory/1504-7-0x0000000000670000-0x00000000006D7000-memory.dmpFilesize
412KB
-
memory/1504-15-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB