bb88afd38b7524ef6adf547336ca9fc77f0fa227b9fc5542c75fb3692a69cb90

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79bb4dcfb058571e1fdb5769e7a3189f.exe
Size

748KB
MD5

79bb4dcfb058571e1fdb5769e7a3189f
SHA1

6a9026a6abc1e92f6cbb870e528e31934bf57b19
SHA256

bb88afd38b7524ef6adf547336ca9fc77f0fa227b9fc5542c75fb3692a69cb90
SHA512

238d46f48e10bdc48b0657195597708a5ddf8fce7633b4bc2f5162eb76c051333481f3de6a4c8bdbcf90cf1a0fcc7c00d460335abd181ce4a3edbd307effa587
SSDEEP

12288:hau9M/94yV2ak64YOABuxBEV81ogq00Dji96uHPPA4dB:hawMrVfX4YOPE0orDxwZB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2528	svchost.exe
540	79bb4dcfb058571e1fdb5769e7a3189f.exe
436	svchost.exe
3804	rigelian_hotshots.exe

Loads dropped DLL 4 IoCs

pid	Process
540	79bb4dcfb058571e1fdb5769e7a3189f.exe
540	79bb4dcfb058571e1fdb5769e7a3189f.exe
3804	rigelian_hotshots.exe
3804	rigelian_hotshots.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	79bb4dcfb058571e1fdb5769e7a3189f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	628	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	628	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
540	79bb4dcfb058571e1fdb5769e7a3189f.exe
540	79bb4dcfb058571e1fdb5769e7a3189f.exe
540	79bb4dcfb058571e1fdb5769e7a3189f.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2528	1512	79bb4dcfb058571e1fdb5769e7a3189f.exe	85
PID 1512 wrote to memory of 2528	1512	79bb4dcfb058571e1fdb5769e7a3189f.exe	85
PID 1512 wrote to memory of 2528	1512	79bb4dcfb058571e1fdb5769e7a3189f.exe	85
PID 2528 wrote to memory of 540	2528	svchost.exe	86
PID 2528 wrote to memory of 540	2528	svchost.exe	86
PID 2528 wrote to memory of 540	2528	svchost.exe	86
PID 540 wrote to memory of 3804	540	79bb4dcfb058571e1fdb5769e7a3189f.exe	89
PID 540 wrote to memory of 3804	540	79bb4dcfb058571e1fdb5769e7a3189f.exe	89
PID 540 wrote to memory of 3804	540	79bb4dcfb058571e1fdb5769e7a3189f.exe	89

C:\Users\Admin\AppData\Local\Temp\79bb4dcfb058571e1fdb5769e7a3189f.exe
"C:\Users\Admin\AppData\Local\Temp\79bb4dcfb058571e1fdb5769e7a3189f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\79bb4dcfb058571e1fdb5769e7a3189f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\79bb4dcfb058571e1fdb5769e7a3189f.exe
    "C:\Users\Admin\AppData\Local\Temp\79bb4dcfb058571e1fdb5769e7a3189f.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\rigelian_hotshots.exe
      "C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\rigelian_hotshots.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3804

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\79bb4dcfb058571e1fdb5769e7a3189f.exe

Filesize
713KB

MD5
c6b54a1471fd7ae270cc1ee690443143

SHA1
3bab51e19aa4a92e5476162974bae1b2418ef5af

SHA256
ca2c01f2e5f7e9aa9fa6b3bbcd75c4fb2bd35b48bb0cc4791b8df1c7f1cb1bfe

SHA512
221e721b26b95cb29fc62736493263119ceb88b0840b6666ba2b0682f515920c23a4e0d6f470aa61e2a1c54957c97679e3a616f077d486696c57a5be287341f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\jesterrun0.dll

Filesize
22KB

MD5
3c090bac965ee3543728d16b87a4d29f

SHA1
859fbb59a7d8468100d20fd120a100d555651438

SHA256
e54391a41a9a2807f1f5117a5e2947e9bc2875ae91fa2ac8868d26a3208d7d39

SHA512
de351362ee253d63a4eea0f66cb5172bd219c51774e58186add730e6f752b94a7ae0ef4bafc22aa260532410a75bc9c01d7355c3d707168683f3e925d68a2dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\rigelian_hotshots.exe

Filesize
964KB

MD5
4a46a813fae974854e6b6c4200f56280

SHA1
3d7dbe5f2607e5108b4e9aab45a0acab8282252f

SHA256
57dc22f40617632e86da6a89d1a4767ada7e54de052e8853451dee00ec30de4f

SHA512
39d360f2853ecfe8bbba4f92c6eb6e1936318b501b92be77c17cd1f135d86de41c79b6f6a112a667d39362cba8bfaf2fac3c1ab58049d2f60a8a5cdb6d1d217b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
345861f739ef259c33abc7ef49b81694

SHA1
3b6aff327d91e66a207c0557eac6ddefab104598

SHA256
fc3220611aded768e37b125c4e4d5a8ffdbf7dfa8d8c19c07c7791b486457948

SHA512
7b0aae948a594f29125a3e80f6c2b51421cda07f5ee4554538037f12b87d4b3937ee74fb400505efcd2a953c897a49d79d875148516dcef619c514251854dfad

Download Submit
memory/436-34-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/436-42-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/540-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/540-33-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/1512-3-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2528-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3804-35-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download