Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 14:11
Behavioral task
behavioral1
Sample
8c875d52a2ae6452ffe4d3437c916346.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8c875d52a2ae6452ffe4d3437c916346.exe
Resource
win10v2004-20231215-en
General
-
Target
8c875d52a2ae6452ffe4d3437c916346.exe
-
Size
262KB
-
MD5
8c875d52a2ae6452ffe4d3437c916346
-
SHA1
a8761f0a13f8eb04c8c43820b747340340a896d0
-
SHA256
3c876e9284562cf9374ba6384a2073aa1043c6dd2be0b0fb9d1075ebb9a84e6c
-
SHA512
2845291eede1080b9d6ee15ab195212f1253b76ef7fef0a58584db673ecd14e78dded855d336e20349abfa2c9c131e0b93c5d2619e6359054bc8520308bf1ffe
-
SSDEEP
3072:4LbY/xvmYCOU2+GxOuyKNLRZqExzUNeFbb1EjQIsUBz65/M6If+3Js+3JFkKeTn:4LpGkKxRniIbbKBxBt25
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8c875d52a2ae6452ffe4d3437c916346.exe\" .." 8c875d52a2ae6452ffe4d3437c916346.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\audiodg.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8c875d52a2ae6452ffe4d3437c916346.exe\" .." 8c875d52a2ae6452ffe4d3437c916346.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3208 schtasks.exe 2764 schtasks.exe 1272 schtasks.exe 1380 schtasks.exe 4896 schtasks.exe 1096 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe 3232 8c875d52a2ae6452ffe4d3437c916346.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeDebugPrivilege 2300 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeDebugPrivilege 1336 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: 33 3232 8c875d52a2ae6452ffe4d3437c916346.exe Token: SeIncBasePriorityPrivilege 3232 8c875d52a2ae6452ffe4d3437c916346.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3232 wrote to memory of 2892 3232 8c875d52a2ae6452ffe4d3437c916346.exe 85 PID 3232 wrote to memory of 2892 3232 8c875d52a2ae6452ffe4d3437c916346.exe 85 PID 3232 wrote to memory of 2892 3232 8c875d52a2ae6452ffe4d3437c916346.exe 85 PID 3232 wrote to memory of 1380 3232 8c875d52a2ae6452ffe4d3437c916346.exe 87 PID 3232 wrote to memory of 1380 3232 8c875d52a2ae6452ffe4d3437c916346.exe 87 PID 3232 wrote to memory of 1380 3232 8c875d52a2ae6452ffe4d3437c916346.exe 87 PID 3232 wrote to memory of 5072 3232 8c875d52a2ae6452ffe4d3437c916346.exe 88 PID 3232 wrote to memory of 5072 3232 8c875d52a2ae6452ffe4d3437c916346.exe 88 PID 3232 wrote to memory of 5072 3232 8c875d52a2ae6452ffe4d3437c916346.exe 88 PID 3232 wrote to memory of 4896 3232 8c875d52a2ae6452ffe4d3437c916346.exe 91 PID 3232 wrote to memory of 4896 3232 8c875d52a2ae6452ffe4d3437c916346.exe 91 PID 3232 wrote to memory of 4896 3232 8c875d52a2ae6452ffe4d3437c916346.exe 91 PID 2300 wrote to memory of 3928 2300 8c875d52a2ae6452ffe4d3437c916346.exe 101 PID 2300 wrote to memory of 3928 2300 8c875d52a2ae6452ffe4d3437c916346.exe 101 PID 2300 wrote to memory of 3928 2300 8c875d52a2ae6452ffe4d3437c916346.exe 101 PID 2300 wrote to memory of 1096 2300 8c875d52a2ae6452ffe4d3437c916346.exe 103 PID 2300 wrote to memory of 1096 2300 8c875d52a2ae6452ffe4d3437c916346.exe 103 PID 2300 wrote to memory of 1096 2300 8c875d52a2ae6452ffe4d3437c916346.exe 103 PID 2300 wrote to memory of 3584 2300 8c875d52a2ae6452ffe4d3437c916346.exe 105 PID 2300 wrote to memory of 3584 2300 8c875d52a2ae6452ffe4d3437c916346.exe 105 PID 2300 wrote to memory of 3584 2300 8c875d52a2ae6452ffe4d3437c916346.exe 105 PID 2300 wrote to memory of 3208 2300 8c875d52a2ae6452ffe4d3437c916346.exe 107 PID 2300 wrote to memory of 3208 2300 8c875d52a2ae6452ffe4d3437c916346.exe 107 PID 2300 wrote to memory of 3208 2300 8c875d52a2ae6452ffe4d3437c916346.exe 107 PID 1336 wrote to memory of 1676 1336 8c875d52a2ae6452ffe4d3437c916346.exe 110 PID 1336 wrote to memory of 1676 1336 8c875d52a2ae6452ffe4d3437c916346.exe 110 PID 1336 wrote to memory of 1676 1336 8c875d52a2ae6452ffe4d3437c916346.exe 110 PID 1336 wrote to memory of 2764 1336 8c875d52a2ae6452ffe4d3437c916346.exe 113 PID 1336 wrote to memory of 2764 1336 8c875d52a2ae6452ffe4d3437c916346.exe 113 PID 1336 wrote to memory of 2764 1336 8c875d52a2ae6452ffe4d3437c916346.exe 113 PID 1336 wrote to memory of 4696 1336 8c875d52a2ae6452ffe4d3437c916346.exe 115 PID 1336 wrote to memory of 4696 1336 8c875d52a2ae6452ffe4d3437c916346.exe 115 PID 1336 wrote to memory of 4696 1336 8c875d52a2ae6452ffe4d3437c916346.exe 115 PID 1336 wrote to memory of 1272 1336 8c875d52a2ae6452ffe4d3437c916346.exe 117 PID 1336 wrote to memory of 1272 1336 8c875d52a2ae6452ffe4d3437c916346.exe 117 PID 1336 wrote to memory of 1272 1336 8c875d52a2ae6452ffe4d3437c916346.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe"C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵PID:2892
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 52⤵
- Creates scheduled task(s)
PID:1380
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵PID:5072
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 12⤵
- Creates scheduled task(s)
PID:4896
-
-
C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exeC:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵PID:3928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 52⤵
- Creates scheduled task(s)
PID:1096
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵PID:3584
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 12⤵
- Creates scheduled task(s)
PID:3208
-
-
C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exeC:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵PID:1676
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 52⤵
- Creates scheduled task(s)
PID:2764
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵PID:4696
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\8c875d52a2ae6452ffe4d3437c916346.exe" /sc minute /mo 12⤵
- Creates scheduled task(s)
PID:1272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\8c875d52a2ae6452ffe4d3437c916346.exe.log
Filesize408B
MD540b0c3caa1b14a4c83e8475c46bf2016
SHA1af9575cda4d842f028d18b17063796a894ecd9d0
SHA25670e88a428d92b6ab5905dac9f324824c4c6f120bc3f385c82b2d12f707a4a867
SHA512916437df737de4b6063b7116b4d148229d4a975eb4046122d47434b81fba06e88e09e5f273ec496c81ef3feecb843ccad20a7a04074224416c1fa9951acbdac7