24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a

General

Target

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
Size

715KB
MD5

223f0d5a662cd55903180e94f7e1b8f9
SHA1

2496bfa1a88b2096501e3ce4fe3cda590d7a7cd2
SHA256

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a
SHA512

a20f6f472a1b9bc8878aee80a36f33990cc574cf32a025373d99c9b6eb22a89af80c6b60211d08accbc7643bbd60abfbd551e144acb0c0c9e29fe26be695843d

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

Windows logoff sound.exe

pid process

828 Windows logoff sound.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1628 cmd.exe
1628 cmd.exe

pid	process
828	Windows logoff sound.exe

pid	process
1628	cmd.exe
1628	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Audio = "\"C:\\Windows\\Windows Audio\\Windows logoff sound.exe\""	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

description	pid	process	target process
PID 1836 set thread context of 1620	1836	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

Drops file in Windows directory 3 IoCs

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

description	ioc	process
File created	C:\Windows\Windows Audio\Windows logoff sound.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
File opened for modification	C:\Windows\Windows Audio\Windows logoff sound.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
File opened for modification	C:\Windows\Windows Audio	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

536 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1568 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

pid process

1836 24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

pid	process
536	reg.exe

pid	process
1568	PING.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

pid	process
1836	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
1836	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.execmd.execmd.exe

description	pid	process	target process
PID 1836 wrote to memory of 1620	1836	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
PID 1836 wrote to memory of 1620	1836	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
PID 1836 wrote to memory of 1620	1836	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
PID 1836 wrote to memory of 1620	1836	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
PID 1620 wrote to memory of 1632	1620	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 1620 wrote to memory of 1632	1620	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 1620 wrote to memory of 1632	1620	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 1620 wrote to memory of 1632	1620	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 1632 wrote to memory of 536	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 536	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 536	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 536	1632	cmd.exe	reg.exe
PID 1620 wrote to memory of 1628	1620	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 1620 wrote to memory of 1628	1620	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 1620 wrote to memory of 1628	1620	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 1620 wrote to memory of 1628	1620	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 1620 wrote to memory of 1628	1620	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 1620 wrote to memory of 1628	1620	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 1620 wrote to memory of 1628	1620	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 1628 wrote to memory of 1568	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 1568	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 1568	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 1568	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 828	1628	cmd.exe	Windows logoff sound.exe
PID 1628 wrote to memory of 828	1628	cmd.exe	Windows logoff sound.exe
PID 1628 wrote to memory of 828	1628	cmd.exe	Windows logoff sound.exe
PID 1628 wrote to memory of 828	1628	cmd.exe	Windows logoff sound.exe

C:\Users\Admin\AppData\Local\Temp\24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
"C:\Users\Admin\AppData\Local\Temp\24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
"C:\Users\Admin\AppData\Local\Temp\24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:1568

C:\Windows\Windows Audio\Windows logoff sound.exe
"C:\Windows\Windows Audio\Windows logoff sound.exe"
4⤵
- Executes dropped EXE
PID:828

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
100B

MD5
1f8013f295aea797be61c6a0656122ae

SHA1
5016720c74dc755b31cdea47c3fb0de12795d37b

SHA256
c713cfcb4c627b06cda7c8987c992f487f3f080667dc3ef18c2d7b377ae5b55f

SHA512
4cf78d4061b632d2650e7ed5d583866e61c94573bc63c9e114fb4c2a4bc12ce17f1309c892a49dcf7cd4a58ee5e306fa25eed5f30007e1a40634ae564d7e5ab0

Download Submit
C:\Windows\Windows Audio\Windows logoff sound.exe
Filesize
715KB

MD5
223f0d5a662cd55903180e94f7e1b8f9

SHA1
2496bfa1a88b2096501e3ce4fe3cda590d7a7cd2

SHA256
24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a

SHA512
a20f6f472a1b9bc8878aee80a36f33990cc574cf32a025373d99c9b6eb22a89af80c6b60211d08accbc7643bbd60abfbd551e144acb0c0c9e29fe26be695843d

Download Submit
C:\Windows\Windows Audio\Windows logoff sound.exe
Filesize
715KB

MD5
223f0d5a662cd55903180e94f7e1b8f9

SHA1
2496bfa1a88b2096501e3ce4fe3cda590d7a7cd2

SHA256
24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a

SHA512
a20f6f472a1b9bc8878aee80a36f33990cc574cf32a025373d99c9b6eb22a89af80c6b60211d08accbc7643bbd60abfbd551e144acb0c0c9e29fe26be695843d

Download Submit
\Windows\Windows Audio\Windows logoff sound.exe
Filesize
715KB

MD5
223f0d5a662cd55903180e94f7e1b8f9

SHA1
2496bfa1a88b2096501e3ce4fe3cda590d7a7cd2

SHA256
24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a

SHA512
a20f6f472a1b9bc8878aee80a36f33990cc574cf32a025373d99c9b6eb22a89af80c6b60211d08accbc7643bbd60abfbd551e144acb0c0c9e29fe26be695843d

Download Submit
\Windows\Windows Audio\Windows logoff sound.exe
Filesize
715KB

MD5
223f0d5a662cd55903180e94f7e1b8f9

SHA1
2496bfa1a88b2096501e3ce4fe3cda590d7a7cd2

SHA256
24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a

SHA512
a20f6f472a1b9bc8878aee80a36f33990cc574cf32a025373d99c9b6eb22a89af80c6b60211d08accbc7643bbd60abfbd551e144acb0c0c9e29fe26be695843d

Download Submit
memory/536-59-0x0000000000000000-mapping.dmp

Download
memory/828-66-0x0000000000000000-mapping.dmp

Download
memory/1568-62-0x0000000000000000-mapping.dmp

Download
memory/1620-56-0x000000000040FD88-mapping.dmp

Download
memory/1628-60-0x0000000000000000-mapping.dmp

Download
memory/1632-58-0x0000000000000000-mapping.dmp

Download
memory/1836-55-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1836-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads