Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 14:11
Behavioral task
behavioral1
Sample
8c875d52a2ae6452ffe4d3437c916346.exe
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
8c875d52a2ae6452ffe4d3437c916346.exe
Resource
win10v2004-20231215-en
5 signatures
150 seconds
General
-
Target
8c875d52a2ae6452ffe4d3437c916346.exe
-
Size
262KB
-
MD5
8c875d52a2ae6452ffe4d3437c916346
-
SHA1
a8761f0a13f8eb04c8c43820b747340340a896d0
-
SHA256
3c876e9284562cf9374ba6384a2073aa1043c6dd2be0b0fb9d1075ebb9a84e6c
-
SHA512
2845291eede1080b9d6ee15ab195212f1253b76ef7fef0a58584db673ecd14e78dded855d336e20349abfa2c9c131e0b93c5d2619e6359054bc8520308bf1ffe
-
SSDEEP
3072:4LbY/xvmYCOU2+GxOuyKNLRZqExzUNeFbb1EjQIsUBz65/M6If+3Js+3JFkKeTn:4LpGkKxRniIbbKBxBt25
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\audiodg.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8c875d52a2ae6452ffe4d3437c916346.exe\" .." 8c875d52a2ae6452ffe4d3437c916346.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8c875d52a2ae6452ffe4d3437c916346.exe\" .." 8c875d52a2ae6452ffe4d3437c916346.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2264 schtasks.exe 2144 schtasks.exe 2068 schtasks.exe 2536 schtasks.exe 2444 schtasks.exe 1248 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe 1732 8c875d52a2ae6452ffe4d3437c916346.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeDebugPrivilege 2704 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeDebugPrivilege 796 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 1732 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 1732 8c875d52a2ae6452ffe4d3437c916346.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2044 1732 8c875d52a2ae6452ffe4d3437c916346.exe 28 PID 1732 wrote to memory of 2044 1732 8c875d52a2ae6452ffe4d3437c916346.exe 28 PID 1732 wrote to memory of 2044 1732 8c875d52a2ae6452ffe4d3437c916346.exe 28 PID 1732 wrote to memory of 2044 1732 8c875d52a2ae6452ffe4d3437c916346.exe 28 PID 1732 wrote to memory of 2536 1732 8c875d52a2ae6452ffe4d3437c916346.exe 30 PID 1732 wrote to memory of 2536 1732 8c875d52a2ae6452ffe4d3437c916346.exe 30 PID 1732 wrote to memory of 2536 1732 8c875d52a2ae6452ffe4d3437c916346.exe 30 PID 1732 wrote to memory of 2536 1732 8c875d52a2ae6452ffe4d3437c916346.exe 30 PID 1732 wrote to memory of 2168 1732 8c875d52a2ae6452ffe4d3437c916346.exe 32 PID 1732 wrote to memory of 2168 1732 8c875d52a2ae6452ffe4d3437c916346.exe 32 PID 1732 wrote to memory of 2168 1732 8c875d52a2ae6452ffe4d3437c916346.exe 32 PID 1732 wrote to memory of 2168 1732 8c875d52a2ae6452ffe4d3437c916346.exe 32 PID 1732 wrote to memory of 2444 1732 8c875d52a2ae6452ffe4d3437c916346.exe 34 PID 1732 wrote to memory of 2444 1732 8c875d52a2ae6452ffe4d3437c916346.exe 34 PID 1732 wrote to memory of 2444 1732 8c875d52a2ae6452ffe4d3437c916346.exe 34 PID 1732 wrote to memory of 2444 1732 8c875d52a2ae6452ffe4d3437c916346.exe 34 PID 2728 wrote to memory of 2704 2728 taskeng.exe 37 PID 2728 wrote to memory of 2704 2728 taskeng.exe 37 PID 2728 wrote to memory of 2704 2728 taskeng.exe 37 PID 2728 wrote to memory of 2704 2728 taskeng.exe 37 PID 2704 wrote to memory of 2620 2704 8c875d52a2ae6452ffe4d3437c916346.exe 38 PID 2704 wrote to memory of 2620 2704 8c875d52a2ae6452ffe4d3437c916346.exe 38 PID 2704 wrote to memory of 2620 2704 8c875d52a2ae6452ffe4d3437c916346.exe 38 PID 2704 wrote to memory of 2620 2704 8c875d52a2ae6452ffe4d3437c916346.exe 38 PID 2704 wrote to memory of 1248 2704 8c875d52a2ae6452ffe4d3437c916346.exe 40 PID 2704 wrote to memory of 1248 2704 8c875d52a2ae6452ffe4d3437c916346.exe 40 PID 2704 wrote to memory of 1248 2704 8c875d52a2ae6452ffe4d3437c916346.exe 40 PID 2704 wrote to memory of 1248 2704 8c875d52a2ae6452ffe4d3437c916346.exe 40 PID 2704 wrote to memory of 2152 2704 8c875d52a2ae6452ffe4d3437c916346.exe 42 PID 2704 wrote to memory of 2152 2704 8c875d52a2ae6452ffe4d3437c916346.exe 42 PID 2704 wrote to memory of 2152 2704 8c875d52a2ae6452ffe4d3437c916346.exe 42 PID 2704 wrote to memory of 2152 2704 8c875d52a2ae6452ffe4d3437c916346.exe 42 PID 2704 wrote to memory of 2264 2704 8c875d52a2ae6452ffe4d3437c916346.exe 44 PID 2704 wrote to memory of 2264 2704 8c875d52a2ae6452ffe4d3437c916346.exe 44 PID 2704 wrote to memory of 2264 2704 8c875d52a2ae6452ffe4d3437c916346.exe 44 PID 2704 wrote to memory of 2264 2704 8c875d52a2ae6452ffe4d3437c916346.exe 44 PID 2728 wrote to memory of 796 2728 taskeng.exe 48 PID 2728 wrote to memory of 796 2728 taskeng.exe 48 PID 2728 wrote to memory of 796 2728 taskeng.exe 48 PID 2728 wrote to memory of 796 2728 taskeng.exe 48 PID 796 wrote to memory of 1492 796 8c875d52a2ae6452ffe4d3437c916346.exe 49 PID 796 wrote to memory of 1492 796 8c875d52a2ae6452ffe4d3437c916346.exe 49 PID 796 wrote to memory of 1492 796 8c875d52a2ae6452ffe4d3437c916346.exe 49 PID 796 wrote to memory of 1492 796 8c875d52a2ae6452ffe4d3437c916346.exe 49 PID 796 wrote to memory of 2144 796 8c875d52a2ae6452ffe4d3437c916346.exe 51 PID 796 wrote to memory of 2144 796 8c875d52a2ae6452ffe4d3437c916346.exe 51 PID 796 wrote to memory of 2144 796 8c875d52a2ae6452ffe4d3437c916346.exe 51 PID 796 wrote to memory of 2144 796 8c875d52a2ae6452ffe4d3437c916346.exe 51 PID 796 wrote to memory of 1284 796 8c875d52a2ae6452ffe4d3437c916346.exe 53 PID 796 wrote to memory of 1284 796 8c875d52a2ae6452ffe4d3437c916346.exe 53 PID 796 wrote to memory of 1284 796 8c875d52a2ae6452ffe4d3437c916346.exe 53 PID 796 wrote to memory of 1284 796 8c875d52a2ae6452ffe4d3437c916346.exe 53 PID 796 wrote to memory of 2068 796 8c875d52a2ae6452ffe4d3437c916346.exe 55 PID 796 wrote to memory of 2068 796 8c875d52a2ae6452ffe4d3437c916346.exe 55 PID 796 wrote to memory of 2068 796 8c875d52a2ae6452ffe4d3437c916346.exe 55 PID 796 wrote to memory of 2068 796 8c875d52a2ae6452ffe4d3437c916346.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe"C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵PID:2044
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 52⤵
- Creates scheduled task(s)
PID:2536
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵PID:2168
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 12⤵
- Creates scheduled task(s)
PID:2444
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {424C449D-76CC-4F68-868F-5B212D51EAA0} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exeC:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F3⤵PID:2620
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 53⤵
- Creates scheduled task(s)
PID:1248
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵PID:2152
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
PID:2264
-
-
-
C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exeC:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F3⤵PID:1492
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 53⤵
- Creates scheduled task(s)
PID:2144
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵PID:1284
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
PID:2068
-
-