cf1df17c2105cf334c8e66dea374d34639ada4d4f51492a30901ab60591567ab

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 15:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HA_MarioXP120_DYJ.exe
Size

4.8MB
MD5

b440c20cca1941852f65e44a2d8c3303
SHA1

ce8f0db79e6c168649d371be0749430ef71dd1ec
SHA256

ac7b79bd973c76fdc27e3b43a6f51742fc73c492b1d2a8fdd857173f77bf1560
SHA512

ac9b15f19f469d1cce46634c40583914193e16b17fc2cef0d4c2ff1389ec0487ed291e1fb083f2716f9739e0f4e2089a733387f4ac7371aa8fbbada1810c3883
SSDEEP

98304:sha2BPHVibYaZDkSB1jURkdp4vHSUgFRqHJLG2RDxgLeSMdHU6zx9:gvVibYTR6MHDgcK0gMdHU6V9

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
4004	HA_MarioXP120_DYJ.exe
4004	HA_MarioXP120_DYJ.exe
4004	HA_MarioXP120_DYJ.exe
4004	HA_MarioXP120_DYJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4384	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4384	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\HA_MarioXP120_DYJ.exe
"C:\Users\Admin\AppData\Local\Temp\HA_MarioXP120_DYJ.exe"
1⤵
- Loads dropped DLL
PID:4004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x46c 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb4A59.tmp\AdvSplash.dll

Filesize
6KB

MD5
ca5bc3627eced1e65e92bc681d1dd428

SHA1
5fb30cd6afcce2377feaed143debac138007d4e4

SHA256
eb23e2436003fbaba5b08d441f98560c7f26bd25ba21910fb8f7446832bf3e32

SHA512
eca6959adbf0a32015b38979e125f5812e1baa9d40e807993326a5bb362d6b42496510a467da99c38c5f266f2bb0705c3506b2979427e817651f04792f6e0a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb4A59.tmp\InstallOptions.dll

Filesize
12KB

MD5
83304a78d2b6ea45ea8404f4cd78721f

SHA1
d5c5d19653c751c08579dd094bcc9fef1841af00

SHA256
92344973083c0a5d8f5732814c1315124e8e0a2f1ed912583a081f95f7549414

SHA512
94076cc935927925641d668c19b389d007ff7e8623f2afe706fc73d1ecb97210577a828a727404b200d9870e14b23d6bd047de9201d629e7443a929c0740c67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb4A59.tmp\System.dll

Filesize
10KB

MD5
d4d09da0218ba046a66a294f0cca9dfe

SHA1
417b1acdeb0a4de6ac752a93080ca5b9164eb44b

SHA256
9090e47d239aa1da9598a483861165e0153c01ad9ff9d65cb6c0f4497a1da5b3

SHA512
3bc9a65842301dab56c139cc5a3457158d37ef294583728c93da1e11ae457df9551b0f8fbd03d5ea3058f3bc794d0ede57ea3efd5d663b45d25647a39cd955bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb4A59.tmp\ioSpecial.ini

Filesize
619B

MD5
3d218c33aba7077af5b11716d340ae2f

SHA1
f506fb9c3a67812b2323eea60f7e97e0126b45a8

SHA256
5637640c8df59cab3ec546634b2e625c4c69564786d333fd35fa339ba2a53a29

SHA512
acbceac743285e37930552d38bba5cd82c901bf82b1035fada744d7de1d587ea9b64391d1a4420496e5ffd1c6f28653838ff61617863cb6fb44d9c3770061fbb

Download Submit