b12bcaa51b4bee455e8a694c2b99b4b83a4525c4cba9c1f12c05af7a90bf1212

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c25bcdd4496384575416f8d7ee5bf63e.exe
Size

2.8MB
MD5

c25bcdd4496384575416f8d7ee5bf63e
SHA1

b89f0206c7d441676b1fda7b708e207ee8cda827
SHA256

b12bcaa51b4bee455e8a694c2b99b4b83a4525c4cba9c1f12c05af7a90bf1212
SHA512

2237e6a3fe2390e37eaf21155194946c5787b3b02fcd2b6a67d993bf6bf0f482f5790c4d2c154d6b619c453c7d2361bab9012a43af40eedb6294640c8ad97469
SSDEEP

49152:CYhrXIuoZAn3pFiO2l/GHF5c098MpWGjxMAyn6FYwtoDhu0v:CSrOA3/iOI2V87Uxd02oNv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4220	svchost.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
224	svchost.exe

Loads dropped DLL 17 IoCs

pid	Process
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe
2916	c25bcdd4496384575416f8d7ee5bf63e.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	c25bcdd4496384575416f8d7ee5bf63e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2916	c25bcdd4496384575416f8d7ee5bf63e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4392	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 4220	4400	c25bcdd4496384575416f8d7ee5bf63e.exe	87
PID 4400 wrote to memory of 4220	4400	c25bcdd4496384575416f8d7ee5bf63e.exe	87
PID 4400 wrote to memory of 4220	4400	c25bcdd4496384575416f8d7ee5bf63e.exe	87
PID 4220 wrote to memory of 2916	4220	svchost.exe	88
PID 4220 wrote to memory of 2916	4220	svchost.exe	88
PID 4220 wrote to memory of 2916	4220	svchost.exe	88
PID 2916 wrote to memory of 112	2916	c25bcdd4496384575416f8d7ee5bf63e.exe	93
PID 2916 wrote to memory of 112	2916	c25bcdd4496384575416f8d7ee5bf63e.exe	93

C:\Users\Admin\AppData\Local\Temp\c25bcdd4496384575416f8d7ee5bf63e.exe
"C:\Users\Admin\AppData\Local\Temp\c25bcdd4496384575416f8d7ee5bf63e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\c25bcdd4496384575416f8d7ee5bf63e.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\c25bcdd4496384575416f8d7ee5bf63e.exe
    "C:\Users\Admin\AppData\Local\Temp\c25bcdd4496384575416f8d7ee5bf63e.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:112

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x3f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\dirapi.dll

Filesize
1.0MB

MD5
d5e5e54d296f667d876edb26a2e40e83

SHA1
a88f31be002ff6d59d71a0b6960b14aa581b5f97

SHA256
c49c0b4bdd99a4fbed1d46808d23616430191847abccf72d535f02cb3e868674

SHA512
13bdfdfeca51ad845ddf50905a520524695e987658761230c3d1f09c4ee7e2ef9cf0a4b9553469a7be96d053353e9d71ac89962a63d3d1daf72abd6cde565cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\iml32.dll

Filesize
548KB

MD5
2afe9bc76e6fd6fca15d8f4e35af98af

SHA1
edd43d452b2ba7fdd542672fd3096b2c7963ea34

SHA256
83cfe99eb220164974224c6e44cc3b52d7479999d2753091d3eff952cae6946d

SHA512
40df97b392d35496c97f173c675d9ce4ed545201cf01a5161eb53c41a3a0107fc08899f7035f05cb4fe7d69c9d7d779c899de17e5b1dc324758caa26e87521a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\proj.dll

Filesize
148KB

MD5
3aa8e0c8624333396be15df4ee8227ff

SHA1
e213b5eea5bd8cd70c04f5fcbff441c9d10dd36b

SHA256
aa418b3397fc5d8ea24b866f9d494147dbca8d2a81039057255e58aee9392551

SHA512
1c0272d66f7a0e7b9da3874edd57908eb96a97df07fb71317e30e10bd0b98f6d3d3a37bdd226cb3024aec6948bf5ee05978b690d839b1a785a613137210af90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\DirectSound.x32

Filesize
32KB

MD5
5d1f1d69ad0d81988b666fc2d4561d86

SHA1
bf71b6d59b29970b137cea3f6269f2a9e35b3630

SHA256
ddeae51512cbd39d3c4c4862f5d5cae228d88461a8a345a5859024f136522840

SHA512
22aaa0d0644c3da9f081d5ff1711615f36397c83b6665bddc100fa5f8f91a78486104eb6e5526769ab759c0b3c58aa63ec1e14e997e8c2981ddba3a673fe8ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\FileIo.x32

Filesize
40KB

MD5
fd0780420c9e20bd6b49a6008be52357

SHA1
e3e42654fdfd20ea848dcac3e0fee69a889df115

SHA256
a3dc6523c65678294b874ffa89665e3443be9d71374451ee3e6fe8ace15f3a31

SHA512
3a96ca28b66e158a69d477e9b047baf5843dd2ca177e789f751af2aaa1b54fb125e256d1b974859a2b3143fa5f7df7353d055cef07b6d99c42ec8c2c149c784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\Flash Asset.x32

Filesize
332KB

MD5
abda7b440db4e932c8af8bf41ea36917

SHA1
ed53dd8270a268cc0b8f4c191e8352650f5ede96

SHA256
16a24fc939b3a1438ca3b1b00ffe65c2c99c4b95310e9dde5f03534665bf3676

SHA512
b263a1c37a2d367f19844de258e02c6213e0c29b6326a97bbde5280019226139d9fc5b69ce72503315306ffd8036b5a2f0ce6228cb4741786bdf802f991c942c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\Font Xtra.x32

Filesize
276KB

MD5
a80979e2b5b2119d2d35d3dceb432e0a

SHA1
5c5712be5ac9444d52a1d4e615123ad1fc35eeb2

SHA256
2dd54b208b279dad0a9aeb5f8ea55a0e1867ce9bed6c2fbd2aa1393f5a2f1e81

SHA512
d67ab0ba749b462f39a342f6ac086da00c21cb9ffaaff42b72b05ea3b19e1c2562e1412f5c474270d2c2f67f9646130772d7cc62c7ebee25bf796874814a1654

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\INetURL.x32

Filesize
48KB

MD5
748b6e07f24f2347f44c19af44ed6494

SHA1
e4d1ec4078a2baaccd89e772769699fb697c45a1

SHA256
eedd3835d9cbfeffd488b52771e5258ded7ce21fe0ec2d14e6062f4e8793e8a3

SHA512
db611acd5df2bc77d835bbaa6c350591dbad8ca04080b03e56f42d2ad159ee74895261b6cc82bdfa67b87f6c4a51ea1516e8762a11215d2bc038e00c618f179d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\NetFile.x32

Filesize
52KB

MD5
9cdb43e4e30ba76b0d19d15403c0fb69

SHA1
595a0eb0326d92c0574512d62077c9586a7cd9c9

SHA256
110a43f38c5a1c1a3231102c20a09f4e31545729e3c97b7fe95034f6ffe1d61f

SHA512
45b2bc329e9ea47b48933e281f87cc119dd3d051a932e3fa2e1d16f2e4ffa0dd94c51c372f7d68d6c51b7068d85065c4787c2c6cb12c6314de5dafba9c56d1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\NetLingo.x32

Filesize
48KB

MD5
8c4bad31c33d62ed53d52e566c287482

SHA1
7537e01d2a9950636173c0935084956601f8afbc

SHA256
803c4d6397575dd9fd961e89a5f7e41495ebbe2411b90f219ea11faa5f2159dc

SHA512
f6e590ea1220232464ea3b2979124efab9c9cb031d8274315a40a5ff64f815726c403010a929a8b8618ac3e1faab365c2bf8c2cfe1e7f6fff39bca3bba3c4f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\OpenURL.x32

Filesize
28KB

MD5
e50ca9e44bbc81fa71361e76d5bce919

SHA1
2a05fa456289d31c8d914fd6bc422be6b42b933e

SHA256
28e6bf3a1a376987f1fd041c796a69d82cd4b481bbce08fce0d72e88ca3b889c

SHA512
8a94becf90c9c8b244fa88ca9127749b656d5b1cf64a22f99951f1f6fb99322171bfeb421a146767d3c33a7e14e3901f2a343f7e46d81773633424f50e5edabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\SWADCmpr.x32

Filesize
68KB

MD5
a25bb47f798f0bf6c71e2a8dbd6b3ea4

SHA1
d25e1ec11fc12bfc8919ec0194becccd02cade64

SHA256
dd00493ddca594db4167efafba25cf124dfbb0a64c428bbee528e6e3a5933dcd

SHA512
bdb5c6d055f31aeedfa3c952062fa2687e1ccc825ef1605bd7ed7c08375067cf14ede4060a3d51c9e430d63a6dc586de2e354eb0e25dda5a489efc7f2d191bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\Sound Control.x32

Filesize
52KB

MD5
1a03be0567d724722081b7e604415e00

SHA1
0b5a98795b715fbfb776b2e9a10eb14a93fcc53d

SHA256
169b008438b8cbe9c083e51f9f1bae47714f8673e5c4107fc8eaf901692656f6

SHA512
293ed537badf02cc93d146031492103b324766d948609bd692f95fba26dd1272da790e546f1cacca15cd51ca572b07f196a93efa17bedb2cdd38ee096801ef85

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\Text Asset.x32

Filesize
96KB

MD5
dc4ad94b324025b4f01169903d48f654

SHA1
625dfedadc1296522da1f65880a4dcb4a7a205fb

SHA256
2864b897dc2eaadfccc71e0dc9672651c0c33388b21870e3dfb887dfda156425

SHA512
e9b5b63009beae724e8933d112631538dc1a7a4df4d44e837598b77533f2841cb2b0999b1bfca32b56c750ef8a0ce5fb3e293a029990f65035b397b4f98cd4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempFolder.aaa\xtras\TextXtra.x32

Filesize
340KB

MD5
238d08298d1feaf2adc1282f95acb760

SHA1
8b3fcf4281b97490a15b5aefdce644688ec92db4

SHA256
ed96d589e19f9247b2fef98eac0f2e509406c91a8667379724a765b34b53d6ee

SHA512
ba064e67f3009d8526f87f5fc2e5604e8a954e3ef2064b16b634f76c70f1a8f80b0f087b85c6067fdca1405dbd0e7cff17628f560fcd0171068283ee8e6d4438

Download Submit
C:\Users\Admin\AppData\Local\Temp\c25bcdd4496384575416f8d7ee5bf63e.exe

Filesize
2.8MB

MD5
bdf57170eff7749b5a8108747659ba40

SHA1
c38d048efa52df6e4322b145e549b1ab4ad7a5ac

SHA256
a720c0105a9d9785757579705119983d351b06f45339f3876d890530bc002946

SHA512
949095da3a5e46ebad42b2c1d9198eb416a9426e0a7ffb65e401cfbb3ed15ff4022cf1d7ec43805b789a98f9c4e6c3c95d38aeae69aad88d8609b56d749a83fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\c25bcdd4496384575416f8d7ee5bf63e.exe

Filesize
1.2MB

MD5
6d24cd61d41d60be096a02503da6c6e0

SHA1
e6fd964300a47af7f91b1874149846af24918058

SHA256
c9f822df3858d3be9790a5fe32cd4081812d73b96e64ac1adb665d8953a256c9

SHA512
3c512dcbc34dca485b8d272f3f855552638d8dda19eb26856adca613db1b16602939a14d553bdeafe5ca47edde5f0d7a3974112a603a158ed8798d62cf4ee156

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
345861f739ef259c33abc7ef49b81694

SHA1
3b6aff327d91e66a207c0557eac6ddefab104598

SHA256
fc3220611aded768e37b125c4e4d5a8ffdbf7dfa8d8c19c07c7791b486457948

SHA512
7b0aae948a594f29125a3e80f6c2b51421cda07f5ee4554538037f12b87d4b3937ee74fb400505efcd2a953c897a49d79d875148516dcef619c514251854dfad

Download Submit
memory/224-66-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/224-71-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/224-72-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2916-58-0x0000000002100000-0x000000000210D000-memory.dmp

Filesize
52KB

Download
memory/2916-45-0x00000000020F0000-0x00000000020FD000-memory.dmp

Filesize
52KB

Download
memory/4220-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4400-3-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download