be59be2254ce5e20df112570427dd5bb4242ff5c2ade693597f8cf7b141170f2

Resubmissions

22/09/2024, 14:16

240922-rljrjatdkn 10

22/09/2024, 13:29

240922-qrj4tasaqn 10

22/09/2024, 12:31

240922-pqhzpazdpc 10

Analysis

max time kernel
1050s
max time network
726s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/09/2024, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dotnet-all-fixer-400.exe
Size

11.3MB
MD5

4cc796f1e8c131990ac4ebb4bcd554c3
SHA1

c1f7a3ba84442c014085ca1586fe11e238f2b443
SHA256

be59be2254ce5e20df112570427dd5bb4242ff5c2ade693597f8cf7b141170f2
SHA512

1190a81edee03de46ccf739f43d574fa7723bc88264fbff526f558773b6253f9fe3047801db0b44aa68b73e4003109c5c527ad62bebc087486e06bcbe672ce41
SSDEEP

196608:38pY1aZCSJb3tQk5tMurErvI9pWj+NyPvzmespE01FcGdiucCH:v1aZV7v5tMurEUWjuy3za71DdiucCH

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
2776	dotnet-all-fixer-400.exe
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001915a-45.dat	upx
behavioral1/files/0x00040000000191b3-53.dat	upx
behavioral1/files/0x0005000000018ffa-57.dat	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1956	taskmgr.exe
2776	dotnet-all-fixer-400.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	taskmgr.exe
Token: 33	300	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	300	AUDIODG.EXE
Token: 33	300	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	300	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2776	2232	dotnet-all-fixer-400.exe	30
PID 2232 wrote to memory of 2776	2232	dotnet-all-fixer-400.exe	30
PID 2232 wrote to memory of 2776	2232	dotnet-all-fixer-400.exe	30

C:\Users\Admin\AppData\Local\Temp\dotnet-all-fixer-400.exe
"C:\Users\Admin\AppData\Local\Temp\dotnet-all-fixer-400.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\dotnet-all-fixer-400.exe
  "C:\Users\Admin\AppData\Local\Temp\dotnet-all-fixer-400.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2776

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1956

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI22322\python311.dll

Filesize
1.6MB

MD5
0d96f5dfd2dd0f495cad36148493c761

SHA1
928107e88bbee02563594374cd6c6ad19091fe14

SHA256
a238f7fb0043c4b64f76095c1ef950544bb1d0debd0902ea0fa3e8d99e5d4a47

SHA512
693c28c64e974ca1fb754357788a65b3a0271e63395963bb92691a5838e1b665af7aada6be5c5ada8339100eedd64c40ca0556601bec26a0f9e483ea98ab2d03

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22322\libcrypto-3.dll

Filesize
1.6MB

MD5
443fd07a22ff1a688a3505d35f3c3dd1

SHA1
ab9f501aa1d3d523b45f8170e53981672cd69131

SHA256
f9c87ec6401039fd03b7c6732c74d1abfdb7c07c8e9803d00effe4c610baa9ee

SHA512
1de390d5d9872c9876662f89c57173391ecd300cabde69c655b2ade7eea56e67376839607cac52572111b88a025797060653dc8bb987c6a165f535b245309844

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22322\sqlite3.dll

Filesize
644KB

MD5
de8018abd4a261cbb6be7acae32d3b07

SHA1
312a1de08a8d82ed23a3a1184d155d4bdd51d84a

SHA256
1d3b09affe7c5f6d3a5015aa7cb64d9b5df16b3d4b773ac09a1a1494d7413904

SHA512
9fbf011ee00cd3f1e6f44e540c80ac057f9f5a2759c6921f5827b28246af45e0e7466d2b8340b41552d83809273a505336387530d5bb6336e6b1ddbe586841f9

Download Submit
memory/1956-49-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1956-50-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1956-51-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1956-52-0x00000000020E0000-0x00000000020F0000-memory.dmp

Filesize
64KB

Download
memory/2776-47-0x000007FEF5CB0000-0x000007FEF62A2000-memory.dmp

Filesize
5.9MB

Download
memory/2776-48-0x000007FEF5CB0000-0x000007FEF62A2000-memory.dmp

Filesize
5.9MB

Download