f942a3c5e755f62912eab86345f585905c858893ef99a0612780cdebe6cb494a

Resubmissions

19/04/2024, 10:05

240419-l4ktnaff4s 3

19/04/2024, 09:58

240419-lzj2kafe5x 7

19/04/2024, 09:50

240419-ltyyjaeb57 7

Analysis

max time kernel
122s
max time network
100s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2024, 10:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Dns_Sequencer.exe
Size

58KB
MD5

eb8d4fcc685f17ebbf39f8e586584961
SHA1

e4a3f1e63adfc9369077303d1902237ac3a43f7a
SHA256

f942a3c5e755f62912eab86345f585905c858893ef99a0612780cdebe6cb494a
SHA512

a874af759659a5534a0d170f2e24f3c3f9afa9f8c01c4b56dc73c0409ab4e481c8da3ced3d1aeff5b36f80a5f69e38f0e19acc015387ecd9eb7c52291b93ce6c
SSDEEP

768:yCIFqelKr+Z18ZMR6ZMRqr4+qsfN8eiDHucO5XbOfq1NkC3i:yC4qelKr+ZS4+n6fDHPAbOtC3i

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1032	Dns_Sequencer.exe
244	Dns_Sequencer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	Dns_Sequencer.exe
Token: SeDebugPrivilege	244	Dns_Sequencer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2344	1032	Dns_Sequencer.exe	85
PID 1032 wrote to memory of 2344	1032	Dns_Sequencer.exe	85
PID 1032 wrote to memory of 4828	1032	Dns_Sequencer.exe	86
PID 1032 wrote to memory of 4828	1032	Dns_Sequencer.exe	86
PID 244 wrote to memory of 3348	244	Dns_Sequencer.exe	91
PID 244 wrote to memory of 3348	244	Dns_Sequencer.exe	91
PID 244 wrote to memory of 2552	244	Dns_Sequencer.exe	92
PID 244 wrote to memory of 2552	244	Dns_Sequencer.exe	92

C:\Users\Admin\AppData\Local\Temp\Dns_Sequencer.exe
"C:\Users\Admin\AppData\Local\Temp\Dns_Sequencer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings1" /ve /t REG_NONE /f
  2⤵
  PID:2344
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings1" /v ExampleValue /t REG_SZ /d friendship /f
  2⤵
  PID:4828

C:\Users\Admin\AppData\Local\Temp\Dns_Sequencer.exe
"C:\Users\Admin\AppData\Local\Temp\Dns_Sequencer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce1 /ve /t REG_NONE /f
  2⤵
  PID:3348
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce1 /v ExampleValue /t REG_SZ /d celebrate /f
  2⤵
  PID:2552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Dns_Sequencer.exe.log

Filesize
4KB

MD5
3f25c675a1bbd5750612084c359b8721

SHA1
9a637a60d9d795894b12dcedf53e2bfa051d97ff

SHA256
470c1b960140f5f4a281b23363a3234802d12c8699163f5b731c47ce8b53ad81

SHA512
ee9041f744fa6536298d155a59891da0fc678cde1331bf8fd6a3bca9159146ae2a4e9280db4f8c2d36778ba527e6c3027b77e56ea4c4eabb24fd73f7b0e9ce54

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bq24gt1r.gtq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/244-29-0x00007FF92A500000-0x00007FF92AFC2000-memory.dmp

Filesize
10.8MB

Download
memory/244-28-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/244-27-0x00007FF92A500000-0x00007FF92AFC2000-memory.dmp

Filesize
10.8MB

Download
memory/244-26-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/244-17-0x00007FF92A500000-0x00007FF92AFC2000-memory.dmp

Filesize
10.8MB

Download
memory/1032-10-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/1032-15-0x00007FF92A500000-0x00007FF92AFC2000-memory.dmp

Filesize
10.8MB

Download
memory/1032-13-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/1032-12-0x00007FF92A500000-0x00007FF92AFC2000-memory.dmp

Filesize
10.8MB

Download
memory/1032-11-0x000000001B3B0000-0x000000001B3D2000-memory.dmp

Filesize
136KB

Download
memory/1032-0-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/1032-1-0x00007FF92A500000-0x00007FF92AFC2000-memory.dmp

Filesize
10.8MB

Download