a0385a5f883e9ea26fd96291834d0c00e74bc9359af388270657f42047aa1fc4

Analysis

max time kernel
117s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Main.exe
Size

840KB
MD5

3ac1784016395353a60fd664f87f099e
SHA1

133a0d95d1180d5734f2b1c6d1f38413bf3d75eb
SHA256

3a01ebe022072ba36fa2c26dda4ee848b3a95e60549cebec50c6d6ba08a95796
SHA512

dd26969c1ff30b4e397c19a2b1e6fbe17d0431836f7b113a7291dcb51a68c9ab5cd6c037799027292d05941c0772d729facfc24681bfbe9833138d62c32039cc
SSDEEP

24576:tw2S04YNEMuExDiU6E5R9s8xY/2l/daN1Ibt+rJ:twS4auS+UjfU2TW1Ibt+r

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2188	AudioDriver.exe

Loads dropped DLL 1 IoCs

pid	Process
2976	Main.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2188	AudioDriver.exe
2188	AudioDriver.exe
2188	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	AudioDriver.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2188	2976	Main.exe	28
PID 2976 wrote to memory of 2188	2976	Main.exe	28
PID 2976 wrote to memory of 2188	2976	Main.exe	28
PID 2976 wrote to memory of 2188	2976	Main.exe	28

C:\Users\Admin\AppData\Local\Temp\Main.exe
"C:\Users\Admin\AppData\Local\Temp\Main.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
840KB

MD5
3ac1784016395353a60fd664f87f099e

SHA1
133a0d95d1180d5734f2b1c6d1f38413bf3d75eb

SHA256
3a01ebe022072ba36fa2c26dda4ee848b3a95e60549cebec50c6d6ba08a95796

SHA512
dd26969c1ff30b4e397c19a2b1e6fbe17d0431836f7b113a7291dcb51a68c9ab5cd6c037799027292d05941c0772d729facfc24681bfbe9833138d62c32039cc

Download Submit
memory/2188-14-0x0000000000F50000-0x0000000001028000-memory.dmp

Filesize
864KB

Download
memory/2188-36-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-35-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/2188-17-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/2188-16-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/2188-15-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2976-3-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/2976-6-0x0000000000650000-0x000000000069E000-memory.dmp

Filesize
312KB

Download
memory/2976-13-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2976-4-0x0000000000520000-0x000000000056C000-memory.dmp

Filesize
304KB

Download
memory/2976-1-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2976-2-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/2976-0-0x0000000000E80000-0x0000000000F58000-memory.dmp

Filesize
864KB

Download