Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 02:34
Behavioral task
behavioral1
Sample
ad7841a5878b1dfa75b05bb4d2b20eb0.exe
Resource
win7-20240221-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
ad7841a5878b1dfa75b05bb4d2b20eb0.exe
Resource
win10v2004-20240226-en
5 signatures
150 seconds
General
-
Target
ad7841a5878b1dfa75b05bb4d2b20eb0.exe
-
Size
4.2MB
-
MD5
ad7841a5878b1dfa75b05bb4d2b20eb0
-
SHA1
59a129b87941e44246dc7f143ab4353bbd0f82e4
-
SHA256
9d595e48793c40a85057d2c7a56fbc2acb925a2d083f1d19f654e7a57ffaf6b7
-
SHA512
f41a53e7dc31ecfe2551d762c8a658dfb93df78fea6b3bc70cc89bfdb4c243c6ccf8631376d30435558c6e46c55e693e5d43aeeb19f2f37e01a7ea0f3f96f8b0
-
SSDEEP
98304:Aw4EaKOz9QGCKP74FV8/63O2IHTH5Gvq3CqIkV03:AG2D7GV872STHUvqSBkV
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avg = "C:\\Arquivos de programas\\avg.exe" ad7841a5878b1dfa75b05bb4d2b20eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\System32\\WMPlayer12.exe" ad7841a5878b1dfa75b05bb4d2b20eb0.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\PLUG.SYS ad7841a5878b1dfa75b05bb4d2b20eb0.exe File created C:\Windows\SysWOW64\WMPlayer12.exe ad7841a5878b1dfa75b05bb4d2b20eb0.exe File opened for modification C:\Windows\SysWOW64\WMPlayer12.exe ad7841a5878b1dfa75b05bb4d2b20eb0.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\Log1 ad7841a5878b1dfa75b05bb4d2b20eb0.exe File created C:\WINDOWS\Longg ad7841a5878b1dfa75b05bb4d2b20eb0.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4656 ad7841a5878b1dfa75b05bb4d2b20eb0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4656 wrote to memory of 4692 4656 ad7841a5878b1dfa75b05bb4d2b20eb0.exe 92 PID 4656 wrote to memory of 4692 4656 ad7841a5878b1dfa75b05bb4d2b20eb0.exe 92 PID 4656 wrote to memory of 4692 4656 ad7841a5878b1dfa75b05bb4d2b20eb0.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad7841a5878b1dfa75b05bb4d2b20eb0.exe"C:\Users\Admin\AppData\Local\Temp\ad7841a5878b1dfa75b05bb4d2b20eb0.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\cmd.execmd / C:\DellPlung.exe2⤵PID:4692
-