Overview
overview
10Static
static
3000643ece0...88.exe
windows10-2004-x64
100e413fa969...3c.exe
windows10-2004-x64
104312b77e60...ce.exe
windows10-2004-x64
105a9212ccca...d1.exe
windows10-2004-x64
10617783538b...1f.exe
windows10-2004-x64
10729187837b...ea.exe
windows10-2004-x64
10747238b5bd...97.exe
windows10-2004-x64
108e6dae5587...22.exe
windows10-2004-x64
10dd86e508d3...d9.exe
windows10-2004-x64
7e500bee084...71.exe
windows10-2004-x64
10Analysis
-
max time kernel
91s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 10:07
Static task
static1
Behavioral task
behavioral1
Sample
000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
0e413fa9690c02a45dc95f1ea020874ed2745670117fed803aea439be9b8683c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
4312b77e6031b30312b6c5c30180fca1895d4c065914103fa2e4ca9e8da9a0ce.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
5a9212ccca92111e18358da4163f1a5d4c12debc5b1d9ac429198c7ad68de5d1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
617783538bdab4bd7c8fbacae9e8749b50cd02e596dc328612ea1d600c11dc1f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
729187837b6282872fd853df135ab03458edda808d089983498f29a635b978ea.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
747238b5bd007fbf264cbd66b42a3fa3d6c54ccb6a1d0ce2c79715650a55d097.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
8e6dae5587d0150e1fa568f6ff42d2f6790750c017c08f86cff2c14b18de7422.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71.exe
Resource
win10v2004-20240508-en
General
-
Target
dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe
-
Size
51.0MB
-
MD5
334d3992d07061c6b20d08d200811aff
-
SHA1
c896f1f24fd0af2d523946217fb556fadfac3304
-
SHA256
dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9
-
SHA512
6d10bc11d0792c2ef63ae0564df650ec1c7e3a776bf3df3df7097cb5fd3477a173b8dc2bd36628f67a312b766bf684626ec6221be9d259425dad65309f791b4a
-
SSDEEP
786432:n14+ls/Zo30hnFnAZZhGJHJaIKYlPLkkAt9lMe/HMrGQgQGmLIqFGkCRFrmT:14++iEVFnAxGJfljDeQgQGLqNCjmT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3496 FNF_FREE_DOWNLOAD.exe -
Loads dropped DLL 1 IoCs
pid Process 3496 FNF_FREE_DOWNLOAD.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3496 FNF_FREE_DOWNLOAD.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2592 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2592 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3496 FNF_FREE_DOWNLOAD.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3848 wrote to memory of 3496 3848 dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe 86 PID 3848 wrote to memory of 3496 3848 dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe 86 PID 3848 wrote to memory of 3496 3848 dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe"C:\Users\Admin\AppData\Local\Temp\dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3496
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x470 0x2ec1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD502f3e06d9da4b99c66ad76a7f97939f8
SHA1f7e4ff2a2a7399639ebe2be7f45419ffdc347046
SHA25690b6b4492df192ebbafd5bf01ebb88301a20558c256b52d0fce8811f714b93e6
SHA512f88112492c3e23663243c4eec9be329420fd736b6516341da1df29065f18b2860b2fb189fef94a8a495e477e5ee4bc5e0bf439d0f0c83113b71853909b01cd2c
-
Filesize
1.9MB
MD586e39e9161c3d930d93822f1563c280d
SHA1f5944df4142983714a6d9955e6e393d9876c1e11
SHA2560b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f
SHA5120a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3
-
Filesize
20.1MB
MD589b2da0fab50c9d1a9a560caf554aa0c
SHA1a9921d3260bea112764344e255246ee5ac881d6d
SHA256b2def46b4c5c7e4393b393749390c261ba75cd6fe9829140f9b18a854039de03
SHA5128f672ef37835317a6b6e5787a65cf69d09c11c56ae277a964a98fb5430c2c0c982c05f6e37a3f47864af45a8270fe0341ef261f349110095746e958a77f32e39
-
Filesize
171KB
MD552d58680003f351eea0f5c4b489ad7e1
SHA1413e7e52fad96c05f2b8eb86ef556356efc797b0
SHA256d8da8bbf7da74fd8639b31192e569bb7790adcc0945517d99fd6f514bcf64b3f
SHA5127bbd98ec1c89e7cb72b35e7493c6abbc9436188a5d0b194b46552977f0b618a7cf8bffb06c1686aa9efe069a26c39980db1deecc5dcabfd780a00ec4214ceca2
-
Filesize
97B
MD5396f73a1185a5642f5f1e2538b64396a
SHA1d72d687a5a1258986f218bfccacc6118c39ec4f9
SHA256e267293f58d257d2dd1e00ad25425bdb798fcbf75256a7d45b7d7086159dbc58
SHA512e17cfca14ce79c71eea01973385fa4151989d40bfc5a04b97fd3534ff5b4f04b385d11867d80a60325aa0bd13403910fee73ab9379f0e05c669d24d5d95957da
-
Filesize
5KB
MD57063fcd92394608267f83a28f83a9b6a
SHA1dd0a49b562f831b1a754b485bb08e93a8186737e
SHA2561ccf4c82e4fc6cf43726323a670aaa81d5e711be09613fc03d3c353bd758d127
SHA51276bad32303fb361480c222b14ad0ee45adb9b7d80e3105728f6b8a39a557480fa2fce134f20aea4386be21822daca49feed8f5772b40d3e95921076e93a40ca0
-
Filesize
41KB
MD5122d21ec49586b295ab8d8cfd86c1471
SHA15f42d9dc934445c83da2f26c24d1025016828e24
SHA25619add083e7a262b58d0eced6370924c045d123f100d668c30ee52548f328a7bd
SHA5129da9639dd255f2ec2ee37804e4dc85aba4276a23623a1a3433c668d6b93419984bd66017a5051aa4f7058faa6cf75c8745f1229b60eada768bd79363833fd4f0
-
Filesize
25KB
MD573b4a89d395eaa0135488dd16445240d
SHA188e22d9c318651e4687fd15173993053e88c0fd3
SHA25687c7a777c9e45cb98a7574a7e74116e5f409f36de203e375a1de31aaad7cd4cb
SHA5127b2113832b716ce323a02bd39cc3495244ebb95a6f05436d307f301dfb0504d6767111453f2c6b4f05cf92a939e8f0bf89224d7fa56456f6d2f3d8716733145c
-
Filesize
23KB
MD5ebd57c027b931472dc8328271dcd2874
SHA125cea55dc4e4b868043dc90e0c098ea8554f3e64
SHA256ba0a003f8010c44236eb7891d31b87795c54adcf4795f4d9210348cc9cb6c1e0
SHA51234b5db54fc508957fbdf331fd9fce7f01cfe81e3988b81e2da2bc99ea8e548a6240f18c656a3fe61e1a0f133cc100bd7048d9e7f98d65187ce95a6f18caa1e9e
-
Filesize
13KB
MD5642550fe0541978b70f5757001636863
SHA1646ca0324bb15672380d54e6891d479f428e9485
SHA2568de198a43bc72b868fc7b89908406cdeeadcc6ba6b286a857466f65ef10d4dd3
SHA512404ba473e2f304bdcd288dece96964c529248065212a6545d553d360fc58740bf74e5136bd795ebf9cd3229d61d44361e0f0648947996d350f6ec3b34f6124eb
-
Filesize
16KB
MD5cd654391eb8d3932b5f4bd1401f786d5
SHA167926e6c7d00f725cda9c1adcb8e8533c9f34cef
SHA25671f5de7726c5960488c3d7de00650ea916be26ee5cf2716b65b2567b21f5ad71
SHA51242184ba6e10e91e327bc4ec464e3d6d63e5e733f1217cb36ba481fc642bf4d3ecb1ea4d522d0afb34d54246931ad39ebc801d5e59f6f90cbfc8ccb51dea9b971
-
Filesize
10KB
MD5aa573ea35c94f0a0a11d6c2c1d3f4823
SHA18f223f174eabbc5852f04f6ab579bb7bffa77201
SHA256f7afdb2f0a90992b381026e76f8e9a7b462b25bdcdea8d216a145349b5827234
SHA5127eeeffb3ec02282ec11d1d1adb5642b18c55067722a344ea462fbe509c64e4606775ceaf2b15efdba9ff59ab810dd4e8092f607cf287248d92ba32d0d34cefe3
-
Filesize
15KB
MD5cb88ad7efad086b2dd62bfa98b4a049a
SHA17807d65e7269b2e55a79bf3c73deb020e3a87949
SHA256a96ef2102b309315dda8e9f2520f14c4ea7f728e8db4163465110dae3bd38387
SHA5127dbfbc7f342b37e385fd8409855d82b1f33bbbd44267b37b5664a1d5083685d1a56dc6c8fb3bcaadbec3b64de7728a09ebf95824666ee28fd12efb8b9bca501c
-
Filesize
24KB
MD5ca9b484cddd819bc1a744a73b4a6ad32
SHA1a4128174cd75f6ff370aaf497ad4f196b46ae135
SHA256bf4c8e0d92aa9adb5f0317ba9310527d4ecdbdc3fc46a3e96fa9d86ece341ed2
SHA51202b957ef27b44f74ab53d32c3e16f7c5cf187a4f4d33071c81b9e4bebed756d54a9afc51b90f7aa3bde77b590fd6988b994b81fd5ba137b25f6ed61250089565
-
Filesize
26KB
MD508385e474ddbfb2e466f4c3753cf2e3c
SHA10b7c322e963c4483b3f50342f91aaad08cba0342
SHA256cbf2817bbfa0aed7659032908c2b1da41ff02563660cc18c07dfcdec70d704a4
SHA5122500cd06e891d5c929b18627afce618b14a8a003b7746b03d341710942a4aca22cc2a8d77c255949faa21c86c482865847e892994801af6f5654af59cbd5b968
-
Filesize
27KB
MD5f58c343cc7f81541f466204cb4aadf20
SHA1aa4c99160dbd15587a22fea7faaa86b6f3eac0a1
SHA2563029816f9b2eaaac5e70eac37864ca1388f61fbfc46d7d87fe370922be841a56
SHA5121cdab9498d53ac1e9b184a4b8adfb666d9dfc6bce05623bdbd39cffe0a1ea9863896ea6aaaa08861b88c2b19cfb5438e77399f69c56dfba45466cff7f672b721
-
Filesize
21KB
MD5980a7b8c20131273ee7d6327e36ab646
SHA1d19b2ca626f240b0e009fdd0bbadfaf03174b472
SHA256b4fa0e07ff9bd7acd215ba65aaf78c38ebb686a5c6f5d3f2bc97cabfa681a438
SHA5121efe7daf267abab5ca631fd0dfa21882073b139d21b2f3096f59c897e616635b7747fcd9144831c432cc18da4cb2e7f02d02ef559273c3952c00c48e7c006a95
-
Filesize
31KB
MD57ed8f7ea17dc8c515e0815167101faef
SHA17f16baff1d12b4858fd470a1e22f82884f129e12
SHA25641db0c0b54a7c254e2da04616eabbbef4d915776eb07b09e51724f329bc9d94b
SHA512fb5ec0323510a370f3c953aaa80178e93211aa254a2bee5e0553b6d9ea9a6a94add08324ecbf0d381684a696e93cadf5c22c3f9a09fce05549371015d899b24b
-
Filesize
36KB
MD529a2efeecdcc29feb8f178b847439995
SHA14c307c3b34165726a4747f0abdf5b8f0c5dd58d3
SHA2562b62f113a0d3fc5d3c8b68686995a7409217b4e399b31c66fb11d00b6d02de70
SHA51214d09ce5e7fdccdec3cf73a8baf57fe8262388eac06a3f04a993d7407f8eec5928fb3a69defaba8832dd420983b82541b9b2eac33e98fc68bc6af7db3b8ff5c6
-
Filesize
27KB
MD510998944ff90841e0859e856277ea358
SHA16b0ec880ae9dd7b24f95c680a94d72e0963aab4b
SHA256eeb305f3d17f0fc7efa24578cf877590f486d8fd6b8ecf4c9d86ee43a842c9f5
SHA5124a19e6122c7a238307fc49a9a730b1c4d33d3e8dd3fffe511f1e1240497425f9f35ce294810160d89a227c1bd9b7e3c219f2513deda8a7d3db43078f1689fb3f
-
Filesize
12KB
MD5cbe43c10d0e1a5d6199cb4c02e97b298
SHA160809509bf01cbd93f783a7feb0f8db839576e5a
SHA2568825512b463b0fb1dd4531fcbbbf583afd68f5c3f5ba74806a377456ed493af4
SHA512cba817443d53af0957d29062d668699bada8a8add208a406df395c68f9f73e64ff2cd22723add39f520d3bb62fdde70f307a5e5ea070028547834eb0a8510acd