497b340d509298c988038c250468e3173d2345502dc54d90a2a1fbb75367735d

Analysis

max time kernel
11s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 09:25

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.Trojan-gen.8681.30993.exe
Size

704KB
MD5

6cd1d78e7371864e3bc5b38dba7f4b42
SHA1

3f602097ff391bafe3e3d3102e521f4efc28a893
SHA256

497b340d509298c988038c250468e3173d2345502dc54d90a2a1fbb75367735d
SHA512

085c2e31af24490783fd3d67f7419198dc0e33d6bb02a00baaca3d0f0c5ab24541a611064228eddc49b9fcc96c48618fe352f5bada6d518e5df1fca89d5a1aae
SSDEEP

12288:aG78y90JidZJhpS1fS17xSG6zKIBuK7C38fymaRnDMc1BFLHnh9fYI:EyDdNt7xnEo+CkcBFLHh9AI

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2308	mario.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	SecuriteInfo.com.Win32.Trojan-gen.8681.30993.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1452	AUDIODG.EXE
Token: SeShutdownPrivilege	2308	mario.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2308	1784	SecuriteInfo.com.Win32.Trojan-gen.8681.30993.exe	85
PID 1784 wrote to memory of 2308	1784	SecuriteInfo.com.Win32.Trojan-gen.8681.30993.exe	85

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Trojan-gen.8681.30993.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Trojan-gen.8681.30993.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mario.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mario.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mario.exe

Filesize
94KB

MD5
02614cac174f1d29b4801ed5408fcbc6

SHA1
2e921d68f0cd3ecde79350cde7e50450a8eb7a2f

SHA256
cebf5840376461467a7c665eb79b47329377e57612bf6efcc11d09c6282dbbfa

SHA512
17337fe7111e692147c1655f8126e7fc3bd501c4ccb24b618b001e32f98a2f1c03c7ca9828c753a063f264302e6ea863443be5c2932b0f96957d4bc16c54f34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mario.wmv

Filesize
601KB

MD5
a153e69a2b679d02af5b6da6557a2e06

SHA1
c3cddb216389573fa96e446c3ce7f12a7a6f2a99

SHA256
0b7230cc7ffad8e3565dd30ca6f5209faeb768b03d1f43c726c5a3e2545cb4b8

SHA512
df3dfc6cf85bf13f59e77d912175d16b29a758784358b85f19d79e1d0c2d49a667ca0bd1d2cfef0bfd39f412875e6c945c673c96a9bd48083c81ba37b3ea9887

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads