ee6726eb2078eba295b02a12a41a11989e39332ca215e7f82df07b1656446e25

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Twister IceFun/Autorun.exe
Size

4.0MB
MD5

763a177e47b5dd1fcd2ea110ce104514
SHA1

42e9681ea0b6d8a65d6176cd7f850517e2567c49
SHA256

e4395ede12cbc68d08c722493a7275c2ba994a86787a764054b89ba47eac728d
SHA512

c9ec9d041f8a0496e6b88c48c11f05d5c16727a1efaba693ad1a0d2db8b020a24f7e44b775e1310fe2b8d70ac7735688a7732b355a502e30aba77c7640b06b25
SSDEEP

98304:a8M1LcgGt1nju99W66siH8wBjABdKGqEOddOhX:+Lct3q9kuiH8wdALVSOhX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1404	plosinovka.exe

Loads dropped DLL 4 IoCs

pid	Process
4184	Autorun.exe
4184	Autorun.exe
1404	plosinovka.exe
1404	plosinovka.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	plosinovka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	plosinovka.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2196	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2196	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4184	Autorun.exe
4184	Autorun.exe
4184	Autorun.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 1404	4184	Autorun.exe	91
PID 4184 wrote to memory of 1404	4184	Autorun.exe	91
PID 4184 wrote to memory of 1404	4184	Autorun.exe	91

C:\Users\Admin\AppData\Local\Temp\Twister IceFun\Autorun.exe
"C:\Users\Admin\AppData\Local\Temp\Twister IceFun\Autorun.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\plosinovka.exe
  "C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\plosinovka.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:1404

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\game.dat

Filesize
5KB

MD5
df44f860f73d4d81d43f0eccd0f7b612

SHA1
a26a7dae031f8d4b6df03bd5dd09eb1bc649e424

SHA256
938f01e92dc977b413b667ad791feca11f1b848c6b28454cf6625329598e8c36

SHA512
c044b3a5f443e9c31c5d20f39af6e61057c5ed0873ce17de5e7afc2df73025ccaf1a225624bd47344fb0c1ce51b03f22559976b66906973273ab976a48e71ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\jesterrun0.dll

Filesize
22KB

MD5
be39c7eaed7b06d0851bc2f4102d300c

SHA1
daf382abef3caa24e04f4a26c0d3d67e86cdded7

SHA256
8a4ee45ea2338423f762ac14e1d21bccb50e4ea706fac572a9186c84a91550f6

SHA512
99530ff3332afa9f53e444c7458e4432d2c66767cd93327a3f03b9a12682dc599809eef145673c320bf33ae110c0a156b3c553957a07a324bd92d342866b359b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\plosinovka.exe

Filesize
4.5MB

MD5
d35ce5a475a42ce96b233b3328f62fe6

SHA1
f2424b75ea8d00e1ab77c6a9716f0588a3ad6552

SHA256
00db0a7e63dc83ff235550aca8b6949470ca1b6899d79047d2ccaf83883fa423

SHA512
fbefa9596f4552afca79fe97ff56753820ce53d329e76cd501bb41c5cabeec73dcdbee1c6258103594e6a4fae97603621ca30637fe596d6877d7d6799a160cef

Download Submit
memory/1404-23-0x0000000002470000-0x0000000002481000-memory.dmp

Filesize
68KB

Download
memory/4184-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4184-22-0x0000000002270000-0x0000000002281000-memory.dmp

Filesize
68KB

Download