24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a

General

Target

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
Size

715KB
MD5

223f0d5a662cd55903180e94f7e1b8f9
SHA1

2496bfa1a88b2096501e3ce4fe3cda590d7a7cd2
SHA256

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a
SHA512

a20f6f472a1b9bc8878aee80a36f33990cc574cf32a025373d99c9b6eb22a89af80c6b60211d08accbc7643bbd60abfbd551e144acb0c0c9e29fe26be695843d

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 2 IoCs

Processes:

Windows logoff sound.exeWindows logoff sound.exe

pid process

1552 Windows logoff sound.exe
3764 Windows logoff sound.exe

pid	process
1552	Windows logoff sound.exe
3764	Windows logoff sound.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exeWindows logoff sound.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run\	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Audio = "\"C:\\Windows\\Windows Audio\\Windows logoff sound.exe\""	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Windows logoff sound.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Audio = "\"C:\\Windows\\Windows Audio\\Windows logoff sound.exe\""	Windows logoff sound.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1204 2588 WerFault.exe iexplore.exe

pid	pid_target	process	target process
1204	2588	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exeWindows logoff sound.exeWindows logoff sound.exeiexplore.exe

description	pid	process	target process
PID 2204 set thread context of 984	2204	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
PID 1552 set thread context of 3764	1552	Windows logoff sound.exe	Windows logoff sound.exe
PID 3764 set thread context of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 4536 set thread context of 2588	4536	iexplore.exe	iexplore.exe

Drops file in Windows directory 3 IoCs

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

description	ioc	process
File created	C:\Windows\Windows Audio\Windows logoff sound.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
File opened for modification	C:\Windows\Windows Audio\Windows logoff sound.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
File opened for modification	C:\Windows\Windows Audio	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1276 reg.exe
4104 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3440 PING.EXE

pid	process
1276	reg.exe
4104	reg.exe

pid	process
3440	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exeWindows logoff sound.exeiexplore.exe

pid	process
2204	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
2204	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
1552	Windows logoff sound.exe
1552	Windows logoff sound.exe
4536	iexplore.exe
4536	iexplore.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exeWindows logoff sound.exeiexplore.exe

pid	process
2204	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
2204	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
1552	Windows logoff sound.exe
1552	Windows logoff sound.exe
4536	iexplore.exe
4536	iexplore.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.execmd.execmd.exeWindows logoff sound.exeWindows logoff sound.execmd.exeiexplore.exe

description	pid	process	target process
PID 2204 wrote to memory of 984	2204	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
PID 2204 wrote to memory of 984	2204	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
PID 2204 wrote to memory of 984	2204	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
PID 984 wrote to memory of 4616	984	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 984 wrote to memory of 4616	984	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 984 wrote to memory of 4616	984	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 4616 wrote to memory of 1276	4616	cmd.exe	reg.exe
PID 4616 wrote to memory of 1276	4616	cmd.exe	reg.exe
PID 4616 wrote to memory of 1276	4616	cmd.exe	reg.exe
PID 984 wrote to memory of 3116	984	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 984 wrote to memory of 3116	984	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 984 wrote to memory of 3116	984	24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe	cmd.exe
PID 3116 wrote to memory of 3440	3116	cmd.exe	PING.EXE
PID 3116 wrote to memory of 3440	3116	cmd.exe	PING.EXE
PID 3116 wrote to memory of 3440	3116	cmd.exe	PING.EXE
PID 3116 wrote to memory of 1552	3116	cmd.exe	Windows logoff sound.exe
PID 3116 wrote to memory of 1552	3116	cmd.exe	Windows logoff sound.exe
PID 3116 wrote to memory of 1552	3116	cmd.exe	Windows logoff sound.exe
PID 1552 wrote to memory of 3764	1552	Windows logoff sound.exe	Windows logoff sound.exe
PID 1552 wrote to memory of 3764	1552	Windows logoff sound.exe	Windows logoff sound.exe
PID 1552 wrote to memory of 3764	1552	Windows logoff sound.exe	Windows logoff sound.exe
PID 3764 wrote to memory of 1448	3764	Windows logoff sound.exe	cmd.exe
PID 3764 wrote to memory of 1448	3764	Windows logoff sound.exe	cmd.exe
PID 3764 wrote to memory of 1448	3764	Windows logoff sound.exe	cmd.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 3764 wrote to memory of 4536	3764	Windows logoff sound.exe	iexplore.exe
PID 1448 wrote to memory of 4104	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 4104	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 4104	1448	cmd.exe	reg.exe
PID 4536 wrote to memory of 2588	4536	iexplore.exe	iexplore.exe
PID 4536 wrote to memory of 2588	4536	iexplore.exe	iexplore.exe
PID 4536 wrote to memory of 2588	4536	iexplore.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
"C:\Users\Admin\AppData\Local\Temp\24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe
"C:\Users\Admin\AppData\Local\Temp\24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:3440

C:\Windows\Windows Audio\Windows logoff sound.exe
"C:\Windows\Windows Audio\Windows logoff sound.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\Windows Audio\Windows logoff sound.exe
"C:\Windows\Windows Audio\Windows logoff sound.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- Modifies registry key
PID:4104

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4536

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
7⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 400
8⤵
- Program crash
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2588 -ip 2588
1⤵
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
100B

MD5
1f8013f295aea797be61c6a0656122ae

SHA1
5016720c74dc755b31cdea47c3fb0de12795d37b

SHA256
c713cfcb4c627b06cda7c8987c992f487f3f080667dc3ef18c2d7b377ae5b55f

SHA512
4cf78d4061b632d2650e7ed5d583866e61c94573bc63c9e114fb4c2a4bc12ce17f1309c892a49dcf7cd4a58ee5e306fa25eed5f30007e1a40634ae564d7e5ab0

Download Submit
C:\Windows\Windows Audio\Windows logoff sound.exe
Filesize
715KB

MD5
223f0d5a662cd55903180e94f7e1b8f9

SHA1
2496bfa1a88b2096501e3ce4fe3cda590d7a7cd2

SHA256
24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a

SHA512
a20f6f472a1b9bc8878aee80a36f33990cc574cf32a025373d99c9b6eb22a89af80c6b60211d08accbc7643bbd60abfbd551e144acb0c0c9e29fe26be695843d

Download Submit
C:\Windows\Windows Audio\Windows logoff sound.exe
Filesize
715KB

MD5
223f0d5a662cd55903180e94f7e1b8f9

SHA1
2496bfa1a88b2096501e3ce4fe3cda590d7a7cd2

SHA256
24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a

SHA512
a20f6f472a1b9bc8878aee80a36f33990cc574cf32a025373d99c9b6eb22a89af80c6b60211d08accbc7643bbd60abfbd551e144acb0c0c9e29fe26be695843d

Download Submit
C:\Windows\Windows Audio\Windows logoff sound.exe
Filesize
715KB

MD5
223f0d5a662cd55903180e94f7e1b8f9

SHA1
2496bfa1a88b2096501e3ce4fe3cda590d7a7cd2

SHA256
24f4e039e68850682ba0a2b92b9f5940b241e4c23ca99fc75e1a830310a1135a

SHA512
a20f6f472a1b9bc8878aee80a36f33990cc574cf32a025373d99c9b6eb22a89af80c6b60211d08accbc7643bbd60abfbd551e144acb0c0c9e29fe26be695843d

Download Submit
memory/984-133-0x0000000000000000-mapping.dmp

Download
memory/1276-136-0x0000000000000000-mapping.dmp

Download
memory/1448-146-0x0000000000000000-mapping.dmp

Download
memory/1552-140-0x0000000000000000-mapping.dmp

Download
memory/1552-143-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2204-134-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3116-137-0x0000000000000000-mapping.dmp

Download
memory/3440-139-0x0000000000000000-mapping.dmp

Download
memory/3764-144-0x0000000000000000-mapping.dmp

Download
memory/4104-147-0x0000000000000000-mapping.dmp

Download
memory/4616-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads