19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb

Analysis

max time kernel
92s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe
Size

7.3MB
MD5

888284957e75b8b7db670ce4711ba2dd
SHA1

032c11005496fb72208409dcc39d14949ce2f908
SHA256

19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb
SHA512

596156aca8449664ced425cf86600fbc747730d2544ef217bc4e9b6dd407033c1579cf05b5c5beafa8622b86eebf63dc2abdc16a14d86256308120aaa48fb6ef
SSDEEP

196608:zLkqSpYCYzubVwvtK/D0P+7Zi2aAhHEmkGmmlyv:mYtU4OgP+IATjmoyv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1844	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
1844	autorun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1844	autorun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1224	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1224	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2320	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe
2320	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe
1844	autorun.exe
1844	autorun.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1844	2320	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe	85
PID 2320 wrote to memory of 1844	2320	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe	85
PID 2320 wrote to memory of 1844	2320	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe	85

C:\Users\Admin\AppData\Local\Temp\19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe
"C:\Users\Admin\AppData\Local\Temp\19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\0001-windows-7.btn

Filesize
3KB

MD5
967fdfe0a01c083804673b4976ad6730

SHA1
5d05ade6dd0d1d67ea7879cd8f7779ef53abbd4c

SHA256
72eda9d49bcd0cd3b540f75c4215714378afbb1ce40afcbb7a0b246ab2a44f21

SHA512
50acacf15fa4cfa8319f789fb534cdb4a8d559ceb3e5e832b32015ff2fbee2c3902abfc83bc2493d57298ed32d0aeb6817e077758c4c2c956432b1d3f3c738d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\iphone-iphone-699344_1280_800_2.jpg

Filesize
386KB

MD5
bfb0add91733214d2412ffe7ab436046

SHA1
c937db6796933e3fecee6d99eece9462a074eda9

SHA256
e4b0ffe09d0df0fc3bf93777610546cdc9ff6eb528bf1edbbb3d3edc5e965627

SHA512
1fe8660d4a3ea51f742ea2ec212e21b34fb0b68de3428d661798f4fcb06d5f8aca0cdd6f447a7878b915cef7b6520724b4125322a219c5d4b154bfb28c1a81cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
473KB

MD5
6fff38d7b9c42c22193f1fab22452abf

SHA1
4f70831adafd58eff89fdbc9801351115ee4ab00

SHA256
478f98f85b515931ece964bf03027ebdd00615f3fa12be75f7daa4ce50242e5a

SHA512
569a6b562172574e48f94cb9755512c82963ac5cf1601e50437c658072684ccb4936be243d07805b66576ecbdcae879ba3fb9138460a9b7c311d3663caa70a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
2.2MB

MD5
9bfe9399ac3841ae9192676b0d16ca6a

SHA1
76681bcb7a7720233cb3a61487db73b767ae6559

SHA256
6148b67c403cc8101cd80ae2664b9b5a8ce787d5850b98da732c98636b10ab2f

SHA512
6536dd615f53a1aad12e186d8c8c53fb1332e4fb387b8fad84e863b59f9a344757b6cdf9c31ddedbbe1615911c25f67b9726d31a9b3e1467e1b82e40e194bcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
2.8MB

MD5
3ce54ab08bddad9235eb1ce3ca6ecfe6

SHA1
2e075383b6994c627e44c900ec9a95aa161f8473

SHA256
1ad7fc48093d94947d4bc7c5093e5ed27090fc97b10fbedb61bcfed4b85fb435

SHA512
c0b200e6e8efadf796c0d2d462c55473a4813d5726c14853be458e3df2404aa6db96f8e75ed0cd01f1fbf6d9a48e35bdce97d715096039fc63929d21dbaf4742

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\jajr_logo-32x32.ico

Filesize
1KB

MD5
3d9ecabffb8558560941f1b3172c3c38

SHA1
433a85b775c815dfeb16e2761cf623aa794299ee

SHA256
b38a3b25527a64744df7b3d17a93a77bb251e778c1e5fde37e6f894820197e7e

SHA512
326b5687f98632f2bbeb29ddb0eebe7fc8d43b2f6caed00df30b14feb7d1875199ded7cf27ac704145d78e67fe7efcef7df1e29b59f28e8dac9ecf76433feb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
318KB

MD5
2e34ae97aeff9034f66d04e6c2bf987f

SHA1
a362799075fe1e8c6afa77f8ca831bd5787073df

SHA256
45bd2e6cbd5b8dfea5f471a4e179b01c4cb764afcf2493e86494272be8dd9342

SHA512
194df497d750903537bdc76b0527bb75e3091154dce32f1eccfc855d0019665ca08fe49848380335325417e5b9b53265fa3c6c226900c68f0e8fd92be5f15591

Download Submit