a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 01:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe
Size

1.2MB
MD5

7754fb5516eea45c40fc3b3f29e55cca
SHA1

00b7053d8554616b35d482fc98c43c6cb22e2328
SHA256

a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540
SHA512

88a1eda10932186fceeb7ac698d1987619c471ec74b052faf6db9e9259dcce06aa8fda52d212f1ffc6780172c63ecfe69dcabb5188e02c225330c7817b15b72c
SSDEEP

24576:bAHnh+eWsN3skA4RV1Hom2KXMmHahExzVA/bE3ERmxSvXwUYWrV5:2h+ZkldoPK8YahazVOb4AXwU/z

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
456	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000800000002341e-15.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 456 set thread context of 4268	456	name.exe	86
PID 4268 set thread context of 3440	4268	svchost.exe	55
PID 4268 set thread context of 592	4268	svchost.exe	90
PID 592 set thread context of 3440	592	sethc.exe	55

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe
592	sethc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
456	name.exe
4268	svchost.exe
3440	Explorer.EXE
3440	Explorer.EXE
592	sethc.exe
592	sethc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
5000	a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe
5000	a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe
456	name.exe
456	name.exe
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
5000	a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe
5000	a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe
456	name.exe
456	name.exe
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3440	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 456	5000	a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe	85
PID 5000 wrote to memory of 456	5000	a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe	85
PID 5000 wrote to memory of 456	5000	a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe	85
PID 456 wrote to memory of 4268	456	name.exe	86
PID 456 wrote to memory of 4268	456	name.exe	86
PID 456 wrote to memory of 4268	456	name.exe	86
PID 456 wrote to memory of 4268	456	name.exe	86
PID 3440 wrote to memory of 592	3440	Explorer.EXE	90
PID 3440 wrote to memory of 592	3440	Explorer.EXE	90
PID 3440 wrote to memory of 592	3440	Explorer.EXE	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe
  "C:\Users\Admin\AppData\Local\Temp\a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\Temp\a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:4268
- C:\Windows\SysWOW64\sethc.exe
  "C:\Windows\SysWOW64\sethc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut4E9D.tmp

Filesize
265KB

MD5
e3076f64582a5b800e333ac8fe8debc5

SHA1
86819a57c25e258a4f64c1f942aad91ffd6ab0b8

SHA256
fc99d6a9f2d90d1e805b880bf0f326e82700f230f73b27a37720466fa2d178aa

SHA512
cf86f7975564db9db010d3bedc307c2b7950b1f04e96d7ee433b5ebc4028bb29eb93ffad5e1da50fdf44d29ce2813f7af8765a0ec20e9516f7a9da757d4e3825

Download Submit
C:\Users\Admin\AppData\Local\Temp\renowner

Filesize
28KB

MD5
762effa3a0d4aab2f78ee50563f78b54

SHA1
5a4c59f86c1178a882a57346cdd99956436f5e54

SHA256
671383dcf828e7c376a3d915ef5ce00329edc8b4498134a364d26d915b939511

SHA512
f71750abec12f1786c263a0797b425fd6f7f7eee1709025324c8fb9d84f87fd52329a95b5957e6b2a836e4ba89c3787b265eba79c8a33b4778b17b167a7e5201

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.2MB

MD5
7754fb5516eea45c40fc3b3f29e55cca

SHA1
00b7053d8554616b35d482fc98c43c6cb22e2328

SHA256
a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540

SHA512
88a1eda10932186fceeb7ac698d1987619c471ec74b052faf6db9e9259dcce06aa8fda52d212f1ffc6780172c63ecfe69dcabb5188e02c225330c7817b15b72c

Download Submit
memory/592-44-0x0000000003080000-0x00000000033CA000-memory.dmp

Filesize
3.3MB

Download
memory/592-49-0x0000000002DD0000-0x0000000002E72000-memory.dmp

Filesize
648KB

Download
memory/592-48-0x0000000000D10000-0x0000000000D4F000-memory.dmp

Filesize
252KB

Download
memory/592-46-0x0000000002DD0000-0x0000000002E72000-memory.dmp

Filesize
648KB

Download
memory/592-45-0x0000000000D10000-0x0000000000D4F000-memory.dmp

Filesize
252KB

Download
memory/592-41-0x0000000000D10000-0x0000000000D4F000-memory.dmp

Filesize
252KB

Download
memory/592-40-0x0000000000D10000-0x0000000000D4F000-memory.dmp

Filesize
252KB

Download
memory/3440-47-0x000000000CB50000-0x000000000DF8D000-memory.dmp

Filesize
20.2MB

Download
memory/3440-50-0x0000000008D70000-0x0000000008E21000-memory.dmp

Filesize
708KB

Download
memory/3440-39-0x000000000CB50000-0x000000000DF8D000-memory.dmp

Filesize
20.2MB

Download
memory/4268-38-0x0000000001670000-0x0000000001693000-memory.dmp

Filesize
140KB

Download
memory/4268-43-0x0000000001670000-0x0000000001693000-memory.dmp

Filesize
140KB

Download
memory/4268-42-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4268-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4268-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4268-35-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4268-34-0x0000000001800000-0x0000000001B4A000-memory.dmp

Filesize
3.3MB

Download
memory/4268-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4268-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5000-12-0x0000000004040000-0x0000000004044000-memory.dmp

Filesize
16KB

Download