Analysis

  • max time kernel
    167s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 13:20

General

  • Target

    a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe

  • Size

    3.5MB

  • MD5

    2e74d6fa9f7ad6604f4474d3a88df538

  • SHA1

    94ddd1699392c49aea7f9a610ed5487ea5d30a07

  • SHA256

    a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a

  • SHA512

    38725af1c782e2378327ed536ff71e50b429b0fa1eca4299ddaee229ff16d9a18cebfcb44db81d799dfa19278e9f8d961598c1a94c15001be8c8c9daba2667f5

  • SSDEEP

    98304:yHWz45HmcCm7AKb1UcPwX7fVhIdG9k3kKoN:yHWzG1IBnwu

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe
    "C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release 2>nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Windows\SysWOW64\reg.exe
          REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release
          4⤵
            PID:1736
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic product where name="FiatLink" call uninstall
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1700
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
          Setup.exe
          3⤵
          • Executes dropped EXE
          PID:2308
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2996
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CheckNF.bat

        Filesize

        556B

        MD5

        1f4c5332b3e3f7668c6c0fbd730ef6f7

        SHA1

        f68d224c39e3d472a4cadfbad6f9f3a57ae6f643

        SHA256

        2f31c813c6d6c132fdfc1c09cf995944170db0a382f799d9dc32c249407e966c

        SHA512

        df673b727e5853716de4803d2ce98054a46dfdbcfbb7a7523e8fc34aa4c7fbd3354ea5990e6abf511606bf917c3e50e3bb5489a0f10572dd9aa1e9dea23818ea

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd

        Filesize

        598B

        MD5

        83a8232021f3f7690a57948dd1fd3f53

        SHA1

        785cab55143c51cf13714c7c3827e0324a767b62

        SHA256

        5bc380a39e687d214b52d425634db1490a44c4e56ae4be1658275a5282db00f0

        SHA512

        b9347fb089d2f81f61b40c830a578f47614e48da573ba318b020cc89dcfb65fd50a5dcfdba6e8bf6b5eb914ab441fd461db6ebadfa043b008e92018dee3383a1

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

        Filesize

        510KB

        MD5

        a71a3c02f397b830524176f5e7545723

        SHA1

        d15dfb49314fd2de949b223837b14e9156355122

        SHA256

        5a8925e95d243ffaeda81be2210fea56fa4e9626484cfadf59da95b485a17ddf

        SHA512

        a3ba63d54c6afc715bb1e28c90d678ca4f3db6ff8e6a572d984f9c9efaa0fd83a512226aba06a0bf1bdab9780cf922c212b7a9be2e134cec0d395916978b0bb2