00f0a5476c87e74f53a8079ad610b06bf944aa3ec1b01fa4e3c151ac3bca6699

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0d2d5a1643a9dfc6292819c60d8760d.exe
Size

878KB
MD5

e0d2d5a1643a9dfc6292819c60d8760d
SHA1

7c2e5e1c0f451b9b565571bdfb14a3b9f065d4c5
SHA256

00f0a5476c87e74f53a8079ad610b06bf944aa3ec1b01fa4e3c151ac3bca6699
SHA512

ac19c11ff81f45d36a3068cb0a9c4728382bd1545483f57d83bb8868182f1e52e5d8b859b7d503262a44e94a9df23204e05481f173e85f0742abf6eb781c8d30
SSDEEP

12288:hau9MG94UXi1em6M71qHfgudE0SXejQSZMRkKVt51X5O+uU+8n/aJhksmxhOTown:hawM8YJzKO0aRN6I+Ya7ksM6oxWB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1704	svchost.exe
3640	e0d2d5a1643a9dfc6292819c60d8760d.exe
4176	svchost.exe
4420	samurai.exe

Loads dropped DLL 4 IoCs

pid	Process
3640	e0d2d5a1643a9dfc6292819c60d8760d.exe
3640	e0d2d5a1643a9dfc6292819c60d8760d.exe
4420	samurai.exe
4420	samurai.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	e0d2d5a1643a9dfc6292819c60d8760d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4280	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4280	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3640	e0d2d5a1643a9dfc6292819c60d8760d.exe
3640	e0d2d5a1643a9dfc6292819c60d8760d.exe
3640	e0d2d5a1643a9dfc6292819c60d8760d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 1704	3116	e0d2d5a1643a9dfc6292819c60d8760d.exe	89
PID 3116 wrote to memory of 1704	3116	e0d2d5a1643a9dfc6292819c60d8760d.exe	89
PID 3116 wrote to memory of 1704	3116	e0d2d5a1643a9dfc6292819c60d8760d.exe	89
PID 1704 wrote to memory of 3640	1704	svchost.exe	90
PID 1704 wrote to memory of 3640	1704	svchost.exe	90
PID 1704 wrote to memory of 3640	1704	svchost.exe	90
PID 3640 wrote to memory of 4420	3640	e0d2d5a1643a9dfc6292819c60d8760d.exe	92
PID 3640 wrote to memory of 4420	3640	e0d2d5a1643a9dfc6292819c60d8760d.exe	92
PID 3640 wrote to memory of 4420	3640	e0d2d5a1643a9dfc6292819c60d8760d.exe	92

C:\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe
"C:\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe
    "C:\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\samurai.exe
      "C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\samurai.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4420

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\jesterrun0.dll

Filesize
22KB

MD5
3c090bac965ee3543728d16b87a4d29f

SHA1
859fbb59a7d8468100d20fd120a100d555651438

SHA256
e54391a41a9a2807f1f5117a5e2947e9bc2875ae91fa2ac8868d26a3208d7d39

SHA512
de351362ee253d63a4eea0f66cb5172bd219c51774e58186add730e6f752b94a7ae0ef4bafc22aa260532410a75bc9c01d7355c3d707168683f3e925d68a2dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\samurai.exe

Filesize
951KB

MD5
708f978b10ad557769849f7a234928af

SHA1
91c042b39745cf969fa1d7ced9710bc788a65b6c

SHA256
212fc2b874215a772ec5139e39ffb26001b2675cfc279279643f1e1649d84a05

SHA512
6918359792958e8db7c2b05f6b0bcc5ff1528ebf4f02df75172a202c964c8ef608baea8a0c5156c4da63202bd0efd6629445e6d43e7d688ed3f7f89083f2ab3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\samurai.exe

Filesize
756KB

MD5
37b72545a7b470d74a342b053dfabe95

SHA1
933eaa34b8f046191335e2dcaa3c36d77390c858

SHA256
616e611514e87fc1e4e7d7d3ef09a8ec1221baec343918aa42d12cc6b9cae829

SHA512
17cdfc0044308d2fc57d42c2c224990dad7ab9efea13156d056849a43684fe0201aca27ed753581acae8b15d643799abfc8936365877349802fa15a05b32a09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe

Filesize
842KB

MD5
0a742b640a54f6a6359e556119f48ade

SHA1
45324e147c2bce5c13f9558fd6d2ea56ded80262

SHA256
57186712bf96527a9824fcd2d29884e557cd039cfe6991b3574a9fa70fff0a5b

SHA512
77b17f0c0d34761e11ca80e6c8b0ddb6b09741d960764c9c811b42e8ed861dcad16f4a978a2de8fccf6a0fa5222548af4c393ede90e6ccc5b92768b62b655ee2

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
345861f739ef259c33abc7ef49b81694

SHA1
3b6aff327d91e66a207c0557eac6ddefab104598

SHA256
fc3220611aded768e37b125c4e4d5a8ffdbf7dfa8d8c19c07c7791b486457948

SHA512
7b0aae948a594f29125a3e80f6c2b51421cda07f5ee4554538037f12b87d4b3937ee74fb400505efcd2a953c897a49d79d875148516dcef619c514251854dfad

Download Submit
memory/1704-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3116-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3640-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3640-33-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4176-34-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4176-46-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4420-35-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download