a00261d08d7baf7f83c01d87d670833a4ad5275b634dc046e0f109eaa7bce7f1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG______6122024.exe
Size

1.2MB
MD5

7754fb5516eea45c40fc3b3f29e55cca
SHA1

00b7053d8554616b35d482fc98c43c6cb22e2328
SHA256

a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540
SHA512

88a1eda10932186fceeb7ac698d1987619c471ec74b052faf6db9e9259dcce06aa8fda52d212f1ffc6780172c63ecfe69dcabb5188e02c225330c7817b15b72c
SSDEEP

24576:bAHnh+eWsN3skA4RV1Hom2KXMmHahExzVA/bE3ERmxSvXwUYWrV5:2h+ZkldoPK8YahazVOb4AXwU/z

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
4944	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023427-14.dat	autoit_exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4944 set thread context of 2684	4944	name.exe	86
PID 2684 set thread context of 3532	2684	svchost.exe	56
PID 2684 set thread context of 2172	2684	svchost.exe	89
PID 2172 set thread context of 3532	2172	sethc.exe	56
PID 2172 set thread context of 2572	2172	sethc.exe	91

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	sethc.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4944	name.exe
2684	svchost.exe
3532	Explorer.EXE
3532	Explorer.EXE
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe
2172	sethc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2628	IMG______6122024.exe
2628	IMG______6122024.exe
4944	name.exe
4944	name.exe
3532	Explorer.EXE
3532	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2628	IMG______6122024.exe
2628	IMG______6122024.exe
4944	name.exe
4944	name.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3532	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4944	2628	IMG______6122024.exe	85
PID 2628 wrote to memory of 4944	2628	IMG______6122024.exe	85
PID 2628 wrote to memory of 4944	2628	IMG______6122024.exe	85
PID 4944 wrote to memory of 2684	4944	name.exe	86
PID 4944 wrote to memory of 2684	4944	name.exe	86
PID 4944 wrote to memory of 2684	4944	name.exe	86
PID 4944 wrote to memory of 2684	4944	name.exe	86
PID 3532 wrote to memory of 2172	3532	Explorer.EXE	89
PID 3532 wrote to memory of 2172	3532	Explorer.EXE	89
PID 3532 wrote to memory of 2172	3532	Explorer.EXE	89
PID 2172 wrote to memory of 2572	2172	sethc.exe	91
PID 2172 wrote to memory of 2572	2172	sethc.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\IMG______6122024.exe
  "C:\Users\Admin\AppData\Local\Temp\IMG______6122024.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG______6122024.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\IMG______6122024.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2684
- C:\Windows\SysWOW64\sethc.exe
  "C:\Windows\SysWOW64\sethc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut3F6A.tmp

Filesize
265KB

MD5
e3076f64582a5b800e333ac8fe8debc5

SHA1
86819a57c25e258a4f64c1f942aad91ffd6ab0b8

SHA256
fc99d6a9f2d90d1e805b880bf0f326e82700f230f73b27a37720466fa2d178aa

SHA512
cf86f7975564db9db010d3bedc307c2b7950b1f04e96d7ee433b5ebc4028bb29eb93ffad5e1da50fdf44d29ce2813f7af8765a0ec20e9516f7a9da757d4e3825

Download Submit
C:\Users\Admin\AppData\Local\Temp\renowner

Filesize
28KB

MD5
762effa3a0d4aab2f78ee50563f78b54

SHA1
5a4c59f86c1178a882a57346cdd99956436f5e54

SHA256
671383dcf828e7c376a3d915ef5ce00329edc8b4498134a364d26d915b939511

SHA512
f71750abec12f1786c263a0797b425fd6f7f7eee1709025324c8fb9d84f87fd52329a95b5957e6b2a836e4ba89c3787b265eba79c8a33b4778b17b167a7e5201

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.2MB

MD5
7754fb5516eea45c40fc3b3f29e55cca

SHA1
00b7053d8554616b35d482fc98c43c6cb22e2328

SHA256
a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540

SHA512
88a1eda10932186fceeb7ac698d1987619c471ec74b052faf6db9e9259dcce06aa8fda52d212f1ffc6780172c63ecfe69dcabb5188e02c225330c7817b15b72c

Download Submit
memory/2172-45-0x0000000000350000-0x000000000038F000-memory.dmp

Filesize
252KB

Download
memory/2172-43-0x0000000000350000-0x000000000038F000-memory.dmp

Filesize
252KB

Download
memory/2172-40-0x0000000000350000-0x000000000038F000-memory.dmp

Filesize
252KB

Download
memory/2172-39-0x0000000000350000-0x000000000038F000-memory.dmp

Filesize
252KB

Download
memory/2572-53-0x000001AE073D0000-0x000001AE074B4000-memory.dmp

Filesize
912KB

Download
memory/2628-12-0x0000000003DD0000-0x0000000003DD4000-memory.dmp

Filesize
16KB

Download
memory/2684-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-37-0x0000000000B50000-0x0000000000B73000-memory.dmp

Filesize
140KB

Download
memory/2684-35-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-42-0x0000000000B50000-0x0000000000B73000-memory.dmp

Filesize
140KB

Download
memory/2684-34-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-33-0x0000000001000000-0x000000000134A000-memory.dmp

Filesize
3.3MB

Download
memory/2684-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3532-38-0x000000000CE70000-0x000000000F6AB000-memory.dmp

Filesize
40.2MB

Download
memory/3532-44-0x000000000CE70000-0x000000000F6AB000-memory.dmp

Filesize
40.2MB

Download
memory/3532-46-0x0000000008580000-0x0000000008696000-memory.dmp

Filesize
1.1MB

Download