22edee709213f759cbbd466b17bd156270218355eb755c1d00641309d562fd83

Analysis

max time kernel
34s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Laucnherfkaskdk.exe
Size

723KB
MD5

a600cf800900485cdc62edbf49de855f
SHA1

af2d70906c5716366510109583a6c4edf59de19e
SHA256

22edee709213f759cbbd466b17bd156270218355eb755c1d00641309d562fd83
SHA512

c0c6a974837a9b1ec00de081ac4854bdb59add3f42770ff99e905795ec1ba07aaef43c38d57f18d67b46d46ee11e8423b85439afdbe987fc91c424e148815ad3
SSDEEP

12288:xhAJjgTqySggXAfMTtx8eX5VUQWwGltdfgmXShq4AuGXcBU:x28TIXOGXzLuTfdXSc3XcBU

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
32	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
42	raw.githubusercontent.com
47	raw.githubusercontent.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	Laucnherfkaskdk.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2452	2920	Laucnherfkaskdk.exe	94
PID 2920 wrote to memory of 2452	2920	Laucnherfkaskdk.exe	94
PID 2920 wrote to memory of 2452	2920	Laucnherfkaskdk.exe	94
PID 2452 wrote to memory of 3616	2452	csc.exe	96
PID 2452 wrote to memory of 3616	2452	csc.exe	96
PID 2452 wrote to memory of 3616	2452	csc.exe	96
PID 2920 wrote to memory of 4304	2920	Laucnherfkaskdk.exe	97
PID 2920 wrote to memory of 4304	2920	Laucnherfkaskdk.exe	97
PID 2920 wrote to memory of 4304	2920	Laucnherfkaskdk.exe	97
PID 4304 wrote to memory of 2696	4304	csc.exe	99
PID 4304 wrote to memory of 2696	4304	csc.exe	99
PID 4304 wrote to memory of 2696	4304	csc.exe	99
PID 2920 wrote to memory of 2668	2920	Laucnherfkaskdk.exe	101
PID 2920 wrote to memory of 2668	2920	Laucnherfkaskdk.exe	101
PID 2920 wrote to memory of 2668	2920	Laucnherfkaskdk.exe	101
PID 2668 wrote to memory of 4532	2668	csc.exe	103
PID 2668 wrote to memory of 4532	2668	csc.exe	103
PID 2668 wrote to memory of 4532	2668	csc.exe	103
PID 2920 wrote to memory of 764	2920	Laucnherfkaskdk.exe	104
PID 2920 wrote to memory of 764	2920	Laucnherfkaskdk.exe	104
PID 2920 wrote to memory of 764	2920	Laucnherfkaskdk.exe	104
PID 764 wrote to memory of 1548	764	csc.exe	106
PID 764 wrote to memory of 1548	764	csc.exe	106
PID 764 wrote to memory of 1548	764	csc.exe	106
PID 2920 wrote to memory of 1976	2920	Laucnherfkaskdk.exe	107
PID 2920 wrote to memory of 1976	2920	Laucnherfkaskdk.exe	107
PID 2920 wrote to memory of 1976	2920	Laucnherfkaskdk.exe	107
PID 1976 wrote to memory of 4996	1976	csc.exe	109
PID 1976 wrote to memory of 4996	1976	csc.exe	109
PID 1976 wrote to memory of 4996	1976	csc.exe	109

C:\Users\Admin\AppData\Local\Temp\Laucnherfkaskdk.exe
"C:\Users\Admin\AppData\Local\Temp\Laucnherfkaskdk.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3jp2013e\3jp2013e.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94CE.tmp" "c:\Users\Admin\AppData\Local\Temp\3jp2013e\CSCC76E3FCF426F4C619150838D0F2CB75.TMP"
    3⤵
    PID:3616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oqfcfh0g\oqfcfh0g.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2D7.tmp" "c:\Users\Admin\AppData\Local\Temp\oqfcfh0g\CSCE6E5D008ADC408996B9CFF62DCD218.TMP"
    3⤵
    PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u15w13sd\u15w13sd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8F2.tmp" "c:\Users\Admin\AppData\Local\Temp\u15w13sd\CSCF6359690A7634B3B9AF77EEE3A47737.TMP"
    3⤵
    PID:4532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wusan05o\wusan05o.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD76.tmp" "c:\Users\Admin\AppData\Local\Temp\wusan05o\CSCC2218EA4D7834528825D16A72B53E52A.TMP"
    3⤵
    PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gh1y2rmy\gh1y2rmy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB46B.tmp" "c:\Users\Admin\AppData\Local\Temp\gh1y2rmy\CSC50245A6295FA403DB2BE41A9B8D689F1.TMP"
    3⤵
    PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3jp2013e\3jp2013e.dll

Filesize
6KB

MD5
201f0de911ad7ee678212f2fc054f542

SHA1
22b5eee8bb9732d41d2ff02b658a3642b85b6b1b

SHA256
97e1a00ca2582528c72373b7c7040dc37aaca1362d071ba4136907c6157c0b11

SHA512
6187eb2aa1effd4fdeca9d5d52ca0c125dca0fec35164dab01e12700a475b4d6eb7bdfef55acef7965af4f31638ecc48e0ad49212db39a91873201f717e31081

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES94CE.tmp

Filesize
1KB

MD5
e99f131cac9e485756968fa454cd7606

SHA1
583c7481aadbeacc2c51b7bd7d67e273df8b12c8

SHA256
61bfebb2de2f268d895c354ad29948a7930189038fa4e832351c2f8be9f5298f

SHA512
b1a9517674f1784963a0f1d6544a8168d9c5dc95b172fd01c7a8a15b487a5a44fb434e6dafc4d5a12ba206f3e485ee6232cd0c42e88569957f19d64972917771

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2D7.tmp

Filesize
1KB

MD5
ad533185651355309e3759d426997ff7

SHA1
ea871d6d53edad5d614a3e16e988549800960eea

SHA256
6764f78637f32d65b7a0088ae2778d999ca5bda25374c5650dde97d65bbae3d1

SHA512
badc847114d0a6915b0e8af06a28bff296b660a9faeb3be66c80868ea04376e2677b09e2450ba6ad81bf5e0423902797e10bc567fc94fc5a9e6ac5ed18dad374

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8F2.tmp

Filesize
1KB

MD5
23e984a20fc956590ad53d8ae8c3a516

SHA1
0bfd38f612537879d433cb03b1c62f822b5c7e46

SHA256
81d41be553b8d8a3a04e3af36061279628fadde1706413217b5b7960f29643db

SHA512
f06e1a35293474881ff8f12ca822781a59efe24230586a52bfd9025bb3788c2cdb876e76f0d3843e43f69750398770959262fd8a424912d43a1a39128237bb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAD76.tmp

Filesize
1KB

MD5
00dc2385c6cc929a467739f721746593

SHA1
afb8b1717bac10e9e1998cfe40e332cea8af0671

SHA256
e414b60a1971b1d909a88905cfddefdd3c98499d2d26e14a9b002354bb6e3fa5

SHA512
062fe9e9f3cf4bb3e95915998774931eac7f7b30d4e97de3e4c67e21c38527b8f7741765788f17ea16382b844a77dba9260b63d4c5dbfa086e9f27c1730c0ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB46B.tmp

Filesize
1KB

MD5
25f7c1617d8b816deb1e1e0e7c225472

SHA1
a0c31c7663269de04d1d7a8a198b02771a8700e1

SHA256
1557e21c7a351c89046493c77e5d4600de363815528c7081266a260ef1c7b1b0

SHA512
b0e15accdc4b2b80135c463c1c4900c42df181582bd7197d58472e915f72b40bcb21ede22ef536251d6a85f8bd5f5db9e8a983c2817b0ea47513727d5d96b5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gh1y2rmy\gh1y2rmy.dll

Filesize
6KB

MD5
5942dc936a57829ff029e3aec53a952b

SHA1
4d433bf8a23795c6d89f42eb8fa0876f131b6985

SHA256
281b697404f8cc5fe20a8d400cebe78b2879be02dd264521acd301489cf0b43d

SHA512
b7e8c6c286a26904e43421e21bc8dc3a494c12323d14361a976a7add34c6eb5949ff4102214a12a6c2c2fc029aa349d5b23fa9008bc9c6aba26d45027a128902

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqfcfh0g\oqfcfh0g.dll

Filesize
6KB

MD5
f09b1d56d977a0bf559cec355c687bfe

SHA1
12433711a780522e1b8182bcfdae4f8a8fe84cbe

SHA256
c717e5f716005f6ef91ce8036fdc8b970812b517bfc1e860dcc106fc0e29bbd1

SHA512
4c3e118f70be4b52bd976d595a851a35da4d52a933001ba95b22cff34ab527ab1e0b50126c3480566be6e3c78d433bf2da2442d84b6827ca58238068aa04c7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\u15w13sd\u15w13sd.dll

Filesize
6KB

MD5
1effb4949feea9a4c31466c7786e4570

SHA1
004366f48d1458cdd1ff7c01a36b7c5186d948cc

SHA256
c572c65f9a0fd345727b56ec18a8ae0c7bd0852648fd0da24c9e2fb67730458e

SHA512
ba483423ba9d0e59454434618cd75ac4c02727baaacd77948465055853573c8fc0a26f1c2fc096b89d31ec22717cfcbb3c6a6588f023711da8c4eae5bd1817fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wusan05o\wusan05o.dll

Filesize
6KB

MD5
9dcae808865c57190df56418e9991523

SHA1
0af5440775abe3b64c501a78f36e8e0d4954f51c

SHA256
8bbc7d6fe4c0187ce7df954dc4efaccc1a76e45a63e7b0c600ed0e83ef379e93

SHA512
1af9f791a13d5838d22cd4463f718bf602776f85bbc0f44613d9a7bb27d0dec3a0871ca0747e7cbfcf3e1ce265407c4dcfe2bd8cc44bc8c4db7ec91be68a6c84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3jp2013e\3jp2013e.0.cs

Filesize
1KB

MD5
f4943fc4b90809ffcd92d50aabd58bb1

SHA1
ba7f4a801e0893d7d35aafd64e943b44ecf72443

SHA256
77e58276771800be6266178fbc9e28e7a77dfd1b1003bcb141357547a92d88e4

SHA512
cc87ff61dda5fe49b6a7cda576d752b55cea4c277e3df2965c31638bb6fd087dc337bd4da415a104bed99e6647ca947462d02f789ceb4dc3d5d8dabfc70e29c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3jp2013e\3jp2013e.cmdline

Filesize
289B

MD5
cb35ad98efd7581c641dc3f37552b74e

SHA1
b61179c8df9fd44a2c7e6749b4e372d223c7e87e

SHA256
d2eb418ce9a44d6197cb2dd528a83bcb07fdad2412c8e815e38d144925edba63

SHA512
9519d793bae3c47d1710f9ef69fb3839273a593b2bb2f4002efb87d7e30660dfb999961d94c3c776252e1283d8e2e8b769efa6f07f6f41dd19b383fe9901a13b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3jp2013e\CSCC76E3FCF426F4C619150838D0F2CB75.TMP

Filesize
652B

MD5
ce2efa5b1dc7de99ac180ea440912394

SHA1
90eb346ab75245cee4f23f5a42ab3cd279f2b130

SHA256
ff88eec57dde766152a90bce633dde7bd6789fd38b7b060d30576a484088b5e1

SHA512
6f689a1f2a7a092b0fca14b233b82f50aa28cee4ab0ee79be0ba2ad43fb19917c09f4b4944501c9677e670e79fcfbd291e785d87e2935cb2c21d56ea0b881555

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gh1y2rmy\CSC50245A6295FA403DB2BE41A9B8D689F1.TMP

Filesize
652B

MD5
8118ba04e42da24b05c9d6bdbd4995e8

SHA1
00c8124e7c74832a18a9c4b2d509fc050b0c1d89

SHA256
cebe62201f2da3511de0c6f411973830896f362ffe555278206e56d60191ec90

SHA512
4ecb43da07256a5f435af107cf62c55eb7284fecdbd17ab2c2d872504fef8193159daebc3e8dfa8df3306e9e9f7283071fc215d2d19b7dd0e01686709db0ed1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gh1y2rmy\gh1y2rmy.cmdline

Filesize
289B

MD5
863a98be38bebe6e313ba941e156ebbe

SHA1
d1e14f4f2f96d84d3f88490747bd798da0e9a673

SHA256
137f4ea395cfdd798bc5021c51f596ff5ace91a15028a0b3281eb26e5c65559f

SHA512
8916bc7e2c8364f133836a47c72e2172c7bfd2c96d243e95b408e05c3d27b5387c5a234280efd941a0c653fe2a26396c86bdf985f8fbf4151346d154527f7b94

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oqfcfh0g\CSCE6E5D008ADC408996B9CFF62DCD218.TMP

Filesize
652B

MD5
8922298a7fb44699a164d5f5c0624fcf

SHA1
d8d824c7ed8bd95c9c0b33298d067e69f8a90bac

SHA256
b9423cd35ea10c16d4aab9cab2feccff9824ab68c5539d5a85ba1197f21b9db1

SHA512
37506cf29b49b08ef405a58f65fa2afe4d2816320dbd5f14284be1ab0d84d5af71ebeeb3c1fc3a3a6eaba28c2c197b85dc042b06b9f95dd7fa74eef6884f24b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oqfcfh0g\oqfcfh0g.cmdline

Filesize
289B

MD5
7de2c41a4eaabae293802c303dac36ce

SHA1
d2ba6ab2a49f15458e9d68272664a46271ea1ab8

SHA256
1f0d2828c875cd994bb4039f989a0ad6e9afe92a80a61bfd3d1dad54523cf57d

SHA512
ea8067579ca5974a0e97ec05427b581e279da6bd2507f4d184e730239bc25c49f87a3ce40e9b4c3a176a25b98526be35b0462ce91c27eb8d6078f4033ac989a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u15w13sd\CSCF6359690A7634B3B9AF77EEE3A47737.TMP

Filesize
652B

MD5
48290eacf80379520b6627814d57f6ac

SHA1
b8911d0719545ce1adb52f169d7a1a44f941cbaa

SHA256
5a6dbfc7ba6878ba75d03974453cf10b4411da4837495778a03ecc052e880a4c

SHA512
4a5ea37ac7dce3372200f93f1e6c543388936fb68a33e1cf4888b965084080aee924317e369e270806ae54c63fac70f1c8fa18fc588fcbf56848767a32e5aace

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u15w13sd\u15w13sd.cmdline

Filesize
289B

MD5
9ce3d61df900537e6e6098d25644363d

SHA1
55a464b496e84983b2ae59740747900745d7b35d

SHA256
03f41fde1573f327cbb92e41bada42a6a93bbb31f3c467304721389dab94c852

SHA512
f96c04bf49ced78e2a13b8b3f555cdd0fad078183cf95af32cf881366a28ed46e3b81b16e8e0be0a4191abf79b7a17f025f1306ff56166f47506a8d74f589b14

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wusan05o\CSCC2218EA4D7834528825D16A72B53E52A.TMP

Filesize
652B

MD5
36bbcba6f1268b178a0e1f73a7bb3543

SHA1
155803fc44e93d27b6d626603eb4959e5cca1c4d

SHA256
f9568f06489247ac4da8e4aa8136c9a98388a3e1b5432a86de51b2dbd43346fd

SHA512
0093264591479e4b41f93dc985898042ec56c445fe5ff33930a6c9cae9be415a1f889392032d4f79267beb026ddb7ec13273420411ac06dca65e0b6f336e7762

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wusan05o\wusan05o.cmdline

Filesize
289B

MD5
238a16f8a0a50846fd4827628093bf0f

SHA1
4754a3707eb28dcc77ee4cae1c3026e6f6134be2

SHA256
1f67aa777a5709320d03e4787440fc2524d0d4196da1729053e203b6345bbd5b

SHA512
c7dd2bb61262f779e33fc6fe2bd43536e73b9a6efe22990d6a7b8b936ac169315866475190ab026f179022ae690a7dfefe183c0d4612d750a03758b1dec13279

Download Submit
memory/2920-5-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2920-6-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/2920-51-0x00000000089D0000-0x00000000089D8000-memory.dmp

Filesize
32KB

Download
memory/2920-7-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2920-36-0x00000000089C0000-0x00000000089C8000-memory.dmp

Filesize
32KB

Download
memory/2920-4-0x0000000004B80000-0x0000000004B8A000-memory.dmp

Filesize
40KB

Download
memory/2920-66-0x00000000089E0000-0x00000000089E8000-memory.dmp

Filesize
32KB

Download
memory/2920-3-0x0000000004BA0000-0x0000000004C32000-memory.dmp

Filesize
584KB

Download
memory/2920-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/2920-21-0x00000000063D0000-0x00000000063D8000-memory.dmp

Filesize
32KB

Download
memory/2920-2-0x00000000050B0000-0x0000000005654000-memory.dmp

Filesize
5.6MB

Download
memory/2920-81-0x0000000008A30000-0x0000000008A38000-memory.dmp

Filesize
32KB

Download
memory/2920-1-0x00000000000B0000-0x000000000016A000-memory.dmp

Filesize
744KB

Download