Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 14:59 UTC
Static task
static1
Behavioral task
behavioral1
Sample
f1e7ea6ba820264681a9c214476e0f8962aec14965a21552a7c6518c825a6845.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f1e7ea6ba820264681a9c214476e0f8962aec14965a21552a7c6518c825a6845.exe
Resource
win10v2004-20240226-en
General
-
Target
f1e7ea6ba820264681a9c214476e0f8962aec14965a21552a7c6518c825a6845.exe
-
Size
1.3MB
-
MD5
d9d03de9a09de23aba63c42f54015e02
-
SHA1
d9e456ddcb6adcf8b818832c4c4be480633ca5a5
-
SHA256
f1e7ea6ba820264681a9c214476e0f8962aec14965a21552a7c6518c825a6845
-
SHA512
49f06dfcd6e36e048b7345df11d149c094fa8e4c47896abd2c4c14932cf8db77a4a42138e32af903d5a26ea8dae8da7f1522bacbc0962e01e22f7dfd09085c78
-
SSDEEP
24576:EW9BIl11tmlNQ2OnBdFQtP51llPup33kT:ESs11tmlNQ2ayVup3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3880 alg.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe f1e7ea6ba820264681a9c214476e0f8962aec14965a21552a7c6518c825a6845.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 856 f1e7ea6ba820264681a9c214476e0f8962aec14965a21552a7c6518c825a6845.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1e7ea6ba820264681a9c214476e0f8962aec14965a21552a7c6518c825a6845.exe"C:\Users\Admin\AppData\Local\Temp\f1e7ea6ba820264681a9c214476e0f8962aec14965a21552a7c6518c825a6845.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:856
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3880
Network
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request219.135.221.88.in-addr.arpaIN PTRResponse219.135.221.88.in-addr.arpaIN PTRa88-221-135-219deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.143.109.104.in-addr.arpaIN PTRResponse28.143.109.104.in-addr.arpaIN PTRa104-109-143-28deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request249.197.17.2.in-addr.arpaIN PTRResponse249.197.17.2.in-addr.arpaIN PTRa2-17-197-249deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request240.197.17.2.in-addr.arpaIN PTRResponse240.197.17.2.in-addr.arpaIN PTRa2-17-197-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
219.135.221.88.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
28.143.109.104.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
249.197.17.2.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
240.197.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5e96a3d448a3cd98cf79d65951786b73d
SHA15c8d536dd83d87affc5c328d35de2f275a66cddc
SHA256358b7d1b330859580280ce40acd85778dc82267bb1afc7550e404a0df2f99171
SHA512b477212513f563ce9e5d0c1d17507c08ee6c4f6eb44807934b808b4559f4d0297e53feb8446d2e7cc1237c1aff8f1c92fca3f08ec2bd822763fe2b9b8766f4eb