e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

General

Target

e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe
Size

411KB
MD5

2adea70fccf261c8c99d87be94dff75b
SHA1

ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623
SHA256

e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0
SHA512

286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Score

10^/10

suricata upx

Malware Config

Signatures

suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Executes dropped EXE 3 IoCs

Processes:

Audio Service.exeAudio Service.exeAudio Service.exe

pid process

2028 Audio Service.exe
840 Audio Service.exe
1288 Audio Service.exe

pid	process
2028	Audio Service.exe
840	Audio Service.exe
1288	Audio Service.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx

Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audio Service.vbs notepad.exe
Loads dropped DLL 4 IoCs

Processes:

notepad.exeAudio Service.exe

pid process

1948 notepad.exe
1948 notepad.exe
2028 Audio Service.exe
2028 Audio Service.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Suspicious use of SetThreadContext 1 IoCs

Processes:

Audio Service.exe

description pid process target process

PID 2028 set thread context of 840 2028 Audio Service.exe Audio Service.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1860 840 WerFault.exe Audio Service.exe
NTFS ADS 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe:ZoneIdentifier notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1992 PING.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audio Service.vbs	notepad.exe

pid	process
1948	notepad.exe
1948	notepad.exe
2028	Audio Service.exe
2028	Audio Service.exe

flow	ioc
2	ip-api.com

description	pid	process	target process
PID 2028 set thread context of 840	2028	Audio Service.exe	Audio Service.exe

pid	pid_target	process	target process
1860	840	WerFault.exe	Audio Service.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe:ZoneIdentifier	notepad.exe

pid	process
1992	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exeAudio Service.exeAudio Service.exe

pid	process
800	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe
2028	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe
1288	Audio Service.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Audio Service.exe

pid process

2028 Audio Service.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Audio Service.exe

description pid process

Token: SeDebugPrivilege 840 Audio Service.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Audio Service.exe

pid process

840 Audio Service.exe

pid	process
2028	Audio Service.exe

description	pid	process
Token: SeDebugPrivilege	840	Audio Service.exe

pid	process
840	Audio Service.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exenotepad.exeAudio Service.exe

description	pid	process	target process
PID 800 wrote to memory of 1948	800	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe	notepad.exe
PID 800 wrote to memory of 1948	800	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe	notepad.exe
PID 800 wrote to memory of 1948	800	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe	notepad.exe
PID 800 wrote to memory of 1948	800	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe	notepad.exe
PID 800 wrote to memory of 1948	800	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe	notepad.exe
PID 800 wrote to memory of 1948	800	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe	notepad.exe
PID 1948 wrote to memory of 2028	1948	notepad.exe	Audio Service.exe
PID 1948 wrote to memory of 2028	1948	notepad.exe	Audio Service.exe
PID 1948 wrote to memory of 2028	1948	notepad.exe	Audio Service.exe
PID 1948 wrote to memory of 2028	1948	notepad.exe	Audio Service.exe
PID 2028 wrote to memory of 840	2028	Audio Service.exe	Audio Service.exe
PID 2028 wrote to memory of 840	2028	Audio Service.exe	Audio Service.exe
PID 2028 wrote to memory of 840	2028	Audio Service.exe	Audio Service.exe
PID 2028 wrote to memory of 840	2028	Audio Service.exe	Audio Service.exe
PID 2028 wrote to memory of 1288	2028	Audio Service.exe	Audio Service.exe
PID 2028 wrote to memory of 1288	2028	Audio Service.exe	Audio Service.exe
PID 2028 wrote to memory of 1288	2028	Audio Service.exe	Audio Service.exe
PID 2028 wrote to memory of 1288	2028	Audio Service.exe	Audio Service.exe

C:\Users\Admin\AppData\Local\Temp\e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe
"C:\Users\Admin\AppData\Local\Temp\e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 1508
5⤵
- Program crash
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\R2WDgGXE3c30.bat" "
5⤵
PID:1644

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
6⤵
PID:516

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe" 2 840 7171724
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1992

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\R2WDgGXE3c30.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
17KB

MD5
d64ada5cbb36654228f2467755dd9446

SHA1
e77a8b0bdd234976a5cd401b9f048e3da8795f49

SHA256
3a2dc9ae9a1c05beba66d5f6f4bac56ff762f84d0683baaa6c0e4a646ae0adfa

SHA512
ff8d17087d19dcafd6d0c311f7b1f1a8654acc5c3a58d08a6d36374522980a2d4ffc72c17240ce8bde647520632fd90b2dd7fade89306da4e8893e86a60bf67f

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
382KB

MD5
b6c4c015f499d462e67ac44473bd98ab

SHA1
b4740a0579c7e1a1d6624afd638d05613f690814

SHA256
5fc95537b812d648f32d035224f9ad228cb2c40b53ea97df42e011ba2fe01bd3

SHA512
c1829cbbc1a2e3c03ba7a87855039a3b7137c2d111d85d0b3798508d405db390b5ee040f5d89f70aad6244669f13f6e46f39ec5ad90cde7416e3cf0c7104dc15

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe

Download Submit
\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
55KB

MD5
cd6e7d5e4135ffcbea970c2fac8cf6e7

SHA1
c882e213fcba7c626af1c83690a1d03367bac6ed

SHA256
8ddad306a293cb4725b9ba378d14ce6bc866cfc8e3ad5975fdaa6de755388954

SHA512
3b438b6c55483907c23562abdc49f256cd05be64caaa5c10f6f399828127cd54c9dbf90ba60f4cc020bd1c9dd914cdc713fb7177c5d382bb209fad47bc44c604

Download Submit
\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
30KB

MD5
6c99a5c3ecceb9ff2beba90b377c9d83

SHA1
defdc7a4f63447f4713f41278919809688d65a93

SHA256
479caa0830631b62f38881fa8eff460329463d1721d7ba1ee35565a83d1b749e

SHA512
ab9c6c0da5a3e4f543ef576707f8bca24616f7049886cdfd7a05ef36d6a18d160468e0e24aa9bdf74f0c49122ec823338fd825a0f0c275733ab209a0ce3d7c41

Download Submit
\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
92KB

MD5
04f7fdbcc07c025a2b57b4717e8a67a1

SHA1
cb9bd142f4ab1e7a3c66584a7530c00151b42d0d

SHA256
2b6132a1870712df28d127ef1b0f914723339cb000f827e93fad74f3f83c4a43

SHA512
cb3242de708c044ca6cf80e88a5d3878bdfab4fa85b7b733dca700ff6c0f2a3b4209efd04a4c0160e9d8bd4073587ead877e0488522e49b712d4cb5b717ca15f

Download Submit
\Users\Admin\AppData\Roaming\Services\Audio Service.exe

Download Submit
\Users\Admin\AppData\Roaming\Services\Audio Service.exe

Download Submit
\Users\Admin\AppData\Roaming\Services\Audio Service.exe

Download Submit
\Users\Admin\AppData\Roaming\Services\Audio Service.exe

Download Submit
\Users\Admin\AppData\Roaming\Services\Audio Service.exe

Download Submit
\Users\Admin\AppData\Roaming\Services\Audio Service.exe

Download Submit
\Users\Admin\AppData\Roaming\Services\Audio Service.exe

Download Submit
memory/516-86-0x0000000000000000-mapping.dmp

Download
memory/800-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/800-55-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/840-70-0x0000000000380000-0x00000000003CE000-memory.dmp

Filesize
312KB

Download
memory/840-65-0x00000000004A7500-mapping.dmp

Download
memory/840-69-0x0000000000380000-0x00000000003CE000-memory.dmp

Filesize
312KB

Download
memory/1272-77-0x0000000000000000-mapping.dmp

Download
memory/1288-68-0x0000000000000000-mapping.dmp

Download
memory/1644-74-0x0000000000000000-mapping.dmp

Download
memory/1860-76-0x0000000000000000-mapping.dmp

Download
memory/1948-56-0x0000000000000000-mapping.dmp

Download
memory/1992-82-0x0000000000000000-mapping.dmp

Download
memory/2028-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads