c19f25ac997f6cc48b0e931a83e186592275c8388f1ff9ef0c90462fba604940

Analysis

max time kernel
155s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c19f25ac997f6cc48b0e931a83e186592275c8388f1ff9ef0c90462fba604940.exe
Size

1.3MB
MD5

aa4263ef4d5ba9380e0ffdfed6617dc9
SHA1

0bf0fb785fd18a71210d0a53b572a41f5c0e2477
SHA256

c19f25ac997f6cc48b0e931a83e186592275c8388f1ff9ef0c90462fba604940
SHA512

c3425ef84dfa1ea4f6c74aad11158fd911c6db938e79809875c0e99b77f832e96c2f57487683e0bfe82694f79a0b249dea551ccad01b741f909ea8558ed88b9b
SSDEEP

12288:u09B+VjMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:u09B/SkQ/7Gb8NLEbeZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
3272	alg.exe
5116	DiagnosticsHub.StandardCollector.Service.exe
4472	fxssvc.exe
4340	elevation_service.exe
2164	elevation_service.exe
4616	maintenanceservice.exe
4396	OSE.EXE

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c19f25ac997f6cc48b0e931a83e186592275c8388f1ff9ef0c90462fba604940.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c19f25ac997f6cc48b0e931a83e186592275c8388f1ff9ef0c90462fba604940.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	c19f25ac997f6cc48b0e931a83e186592275c8388f1ff9ef0c90462fba604940.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c19f25ac997f6cc48b0e931a83e186592275c8388f1ff9ef0c90462fba604940.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\24142298b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c19f25ac997f6cc48b0e931a83e186592275c8388f1ff9ef0c90462fba604940.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	228	c19f25ac997f6cc48b0e931a83e186592275c8388f1ff9ef0c90462fba604940.exe
Token: SeAuditPrivilege	4472	fxssvc.exe

C:\Users\Admin\AppData\Local\Temp\c19f25ac997f6cc48b0e931a83e186592275c8388f1ff9ef0c90462fba604940.exe
"C:\Users\Admin\AppData\Local\Temp\c19f25ac997f6cc48b0e931a83e186592275c8388f1ff9ef0c90462fba604940.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3272

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2484

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2164

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4616

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
aa21646f3cb425d2106cedd4abdbb479

SHA1
5c65ccd3e3ea012caa9f3086c935ef9d9bf155d2

SHA256
65888a13cf167b67edf5192471a9dc05fd6720baea41db94a9497ef4d5d729a3

SHA512
f6905a269fa6a6dd9345e0638006d9532aa6b36f5e5cbaf5eac17ce7a19a85e36eb76b96cf640dcc2255b62145ba7780fcb6ffb01c7d9f388bde04d9fb2f3e05

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ee104981f5b2fb17c077d590eaa3121b

SHA1
1c5f82176658421fac469cc57c278d17024d617a

SHA256
9551cfe6da60c30fac29ad3d02d4bbc381215ee5873e2e6a226d16ff30e24205

SHA512
a191f2aa6dde5f07b88f2cfd8042930ec30f4a8fa34162af979e56c3b96f2b106b4d7c917e0c0580689bfcf5d7f0ef53cb9e8025713ea80bf524e5c6bcf5db81

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
35ff07d085af1ca0acb39f9e53e75d44

SHA1
892a041368a7c5251f2f11055adc7e87710c1d21

SHA256
7095bf28552f46f1db07831d436a318ddda4008cb825b23d317932435bf46266

SHA512
c4362100a287420d16795957cfc479806c0cd2c9670975ab4b16d188a8ddc37b6caa20d4bb870066285db5e98fbb03d7da67d2bef889ab901ebea3d324a306c5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
38f985e652e355b41cceb7e68eff0ebe

SHA1
dd9bd60016365e845396c7783c900ca02e1070c5

SHA256
4359b3661261c6fc43739ae285f529cb8811997ce32ebf5ee9db924fc055ff8e

SHA512
f587a902840ab49f53eb7c178f675f864c50933e0aa39908ac5b9582022eb372a94d375fcddf9585bb21b3e9f5f4ed9a1a372bd2b8e2c82878ac7a38165a400c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
eb7a7a340017fbc038dc44811b47cd05

SHA1
b565a8ddfe2b22bc0d5e24c5c5ac14735b110c0a

SHA256
21a0aac0ffeb359c9fa986680c640b3e47ebedae44304ebd964a64295832227e

SHA512
92c44dda5eca8d634f387550e8f1c4d0709c488bfdabd0dedd48227a1dd4514939dcf01d7412eda0e192c03826989b1778cde3b4b92c7d25e7ee957222e09b87

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fcacb4954e4164f7b00affcd517c9780

SHA1
60db2c0a2d7871f5e90f77c5c710500ef5805b0e

SHA256
f25a7f7298e1694ed33018b9189efda861b1e429c8394d078822205f952f3214

SHA512
fdbf4a41a7bc6a9835de54656ebce5de15a71e6881d360f2c6c974ddb47ee0f18d81b8693b8816e991a05758001a54b032f83e5e0a3564a20bf9492bfa50aee8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
5b2f5a6091f5b1ad270b52e49e7730ac

SHA1
86d1a683f134cf3e2ec974e9cc52a5192566d706

SHA256
9cb019ff49934665f2a2d92810ee09f4f0a18baa52fcd627d9e7fc12663da201

SHA512
18689985fd679f4554e2a51f6e454e0bbaebe899d7f1ccb77c2ac0df2b719aabb5e75ff469379379255f02a9c34222360cd14549b8584c4abfefd36203a69761

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
59cacf804d83525c8d60783aca8e97dc

SHA1
c51b575e3780e6519175a5269ddd641f8a079b26

SHA256
d18855753404c260b5b5d52a210d5d1339e101182bbc6c1bffcbc6670fc8336a

SHA512
ab370139e7b10d221f07fc07c4083011f9cea655cba241a4e231084a48695872ec5f07fc6f7a3340bd0973eb08f95d1a40cfa891b7ec314d8949cab2224451a7

Download Submit
memory/228-6-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/228-7-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/228-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/228-1-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/228-44-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/228-40-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2164-67-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2164-138-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2164-74-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2164-75-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2164-68-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3272-19-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3272-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3272-79-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3272-13-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4340-45-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4340-57-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4340-46-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4340-116-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4396-179-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4396-104-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4396-97-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4396-96-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4472-62-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4472-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4472-60-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4472-48-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4472-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4616-80-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4616-92-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4616-90-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4616-87-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4616-81-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/5116-95-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/5116-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5116-33-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5116-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5116-25-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download