e9981facf2be95e0abe454e8d5e6c81641360ab3ee09061c0fa92eba6d9cb0a3

Analysis

max time kernel
159s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2024, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dog.exe
Size

139.5MB
MD5

f71c554354bf1d6b5bb0f6b1e4adf4af
SHA1

7647253311c00309f9cda21b097fdaa1c8c1cc25
SHA256

40bd7d0c1ba5c44a0b9405c43119f9e41c8754d2635f66cf6b3cbbf544ec8230
SHA512

1b802572b0cb7856fefbd0e2e469d8961b24a0fce03f98120d33876380cf7acf48d5370c8cfa5a2c326ca04d4915133a63810cdca38b3b8f4d9550b6e7f9327f
SSDEEP

786432:X14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:X14kpHwQjCWv+K18CedmVvEQEpcJW

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3388	dog.exe
3388	dog.exe
5040	dog.exe
5040	dog.exe
5040	dog.exe
5040	dog.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe
Token: SeShutdownPrivilege	1100	dog.exe
Token: SeCreatePagefilePrivilege	1100	dog.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3168	1100	dog.exe	82
PID 1100 wrote to memory of 3388	1100	dog.exe	83
PID 1100 wrote to memory of 3388	1100	dog.exe	83
PID 1100 wrote to memory of 5040	1100	dog.exe	93
PID 1100 wrote to memory of 5040	1100	dog.exe	93

C:\Users\Admin\AppData\Local\Temp\dog.exe
"C:\Users\Admin\AppData\Local\Temp\dog.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\dog.exe
  "C:\Users\Admin\AppData\Local\Temp\dog.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1852,2959667035595671458,15558304523833333525,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:3168
- C:\Users\Admin\AppData\Local\Temp\dog.exe
  "C:\Users\Admin\AppData\Local\Temp\dog.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=2076 --field-trial-handle=1852,2959667035595671458,15558304523833333525,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3388
- C:\Users\Admin\AppData\Local\Temp\dog.exe
  "C:\Users\Admin\AppData\Local\Temp\dog.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1344 --field-trial-handle=1852,2959667035595671458,15558304523833333525,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3168-2-0x00007FF994C20000-0x00007FF994C21000-memory.dmp

Filesize
4KB

Download
memory/3168-5-0x00000261299A0000-0x0000026129A3B000-memory.dmp

Filesize
620KB

Download
memory/5040-16-0x00000170B8540000-0x00000170B8541000-memory.dmp

Filesize
4KB

Download
memory/5040-17-0x00000170B8540000-0x00000170B8541000-memory.dmp

Filesize
4KB

Download
memory/5040-18-0x00000170B8540000-0x00000170B8541000-memory.dmp

Filesize
4KB

Download
memory/5040-23-0x00000170B8540000-0x00000170B8541000-memory.dmp

Filesize
4KB

Download
memory/5040-25-0x00000170B8540000-0x00000170B8541000-memory.dmp

Filesize
4KB

Download
memory/5040-27-0x00000170B8540000-0x00000170B8541000-memory.dmp

Filesize
4KB

Download
memory/5040-26-0x00000170B8540000-0x00000170B8541000-memory.dmp

Filesize
4KB

Download
memory/5040-24-0x00000170B8540000-0x00000170B8541000-memory.dmp

Filesize
4KB

Download
memory/5040-22-0x00000170B8540000-0x00000170B8541000-memory.dmp

Filesize
4KB

Download
memory/5040-28-0x00000170B8540000-0x00000170B8541000-memory.dmp

Filesize
4KB

Download