684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41

Analysis

max time kernel
105s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Size

976KB
MD5

a0cac6e32ea44cd968f7714bd41f5a90
SHA1

be6b091844d5cfa38b33d15d229e491a8bdd2502
SHA256

684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41
SHA512

6af66448584ab324c4a7cc4dfb77c6db83954153f87c6681f4af29b7f8b1675b9bfec74fb76dede48d168414fe1344d3a3dd48d7f0744842acb8632795bdb695
SSDEEP

3072:HaXt5hsc2+T33w68MSWjFzNaMYpa/LJ9WsXrAmbvJMRYe:6Xt5hsc2w3w6tztfnJrAm1MR

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\EC6B564A4A2E438408725\\EC6B564A4A2E438408725.exe"	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 876 set thread context of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 set thread context of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 set thread context of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeSecurityPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeTakeOwnershipPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeLoadDriverPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeSystemProfilePrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeSystemtimePrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeProfSingleProcessPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeIncBasePriorityPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeCreatePagefilePrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeBackupPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeRestorePrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeShutdownPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeDebugPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeSystemEnvironmentPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeRemoteShutdownPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeUndockPrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: SeManageVolumePrivilege	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: 33	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: 34	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
Token: 35	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 1372	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	31
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 876 wrote to memory of 2492	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	32
PID 1372 wrote to memory of 2712	1372	audiodg.exe	35
PID 1372 wrote to memory of 2712	1372	audiodg.exe	35
PID 1372 wrote to memory of 2712	1372	audiodg.exe	35
PID 2492 wrote to memory of 2784	2492	svchost.exe	34
PID 2492 wrote to memory of 2784	2492	svchost.exe	34
PID 2492 wrote to memory of 2784	2492	svchost.exe	34
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 876 wrote to memory of 2844	876	684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe	33
PID 2844 wrote to memory of 2580	2844	msiexec.exe	36
PID 2844 wrote to memory of 2580	2844	msiexec.exe	36
PID 2844 wrote to memory of 2580	2844	msiexec.exe	36

C:\Users\Admin\AppData\Local\Temp\684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe
"C:\Users\Admin\AppData\Local\Temp\684ba0cce545caa4389fe09235dd5446e44d609c6db644333fa2555133e11a41N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\system32\audiodg.exe
  "C:\Windows\system32\audiodg.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1372 -s 20
    3⤵
    PID:2712
- C:\Windows\system32\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2492 -s 20
    3⤵
    PID:2784
- C:\Windows\system32\msiexec.exe
  "C:\Windows\system32\msiexec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2844 -s 184
    3⤵
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1372-10-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1372-39-0x00000000FF450000-0x00000000FF48E000-memory.dmp

Filesize
248KB

Download
memory/1372-9-0x00000000FF450000-0x00000000FF48E000-memory.dmp

Filesize
248KB

Download
memory/1372-3-0x00000000FF450000-0x00000000FF48E000-memory.dmp

Filesize
248KB

Download
memory/1372-2-0x00000000FF450000-0x00000000FF48E000-memory.dmp

Filesize
248KB

Download
memory/1372-4-0x00000000FF450000-0x00000000FF48E000-memory.dmp

Filesize
248KB

Download
memory/1372-6-0x00000000FF450000-0x00000000FF48E000-memory.dmp

Filesize
248KB

Download
memory/1372-5-0x00000000FF450000-0x00000000FF48E000-memory.dmp

Filesize
248KB

Download
memory/1372-8-0x00000000FF450000-0x00000000FF48E000-memory.dmp

Filesize
248KB

Download
memory/1372-7-0x00000000FF450000-0x00000000FF48E000-memory.dmp

Filesize
248KB

Download
memory/1372-12-0x00000000FF450000-0x00000000FF48E000-memory.dmp

Filesize
248KB

Download
memory/2492-23-0x00000000FFB80000-0x00000000FFBBE000-memory.dmp

Filesize
248KB

Download
memory/2492-29-0x00000000FFB80000-0x00000000FFBBE000-memory.dmp

Filesize
248KB

Download
memory/2492-21-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2844-67-0x00000000FF0E0000-0x00000000FF11E000-memory.dmp

Filesize
248KB

Download
memory/2844-55-0x00000000FF0E0000-0x00000000FF11E000-memory.dmp

Filesize
248KB

Download
memory/2844-54-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/2844-61-0x00000000FF0E0000-0x00000000FF11E000-memory.dmp

Filesize
248KB

Download
memory/2844-66-0x00000000FF0E0000-0x00000000FF11E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads