72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4

General

Target

72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe
Size

176KB
MD5

666637837fff2837d0c798b0bc411160
SHA1

af62c162cf8879b5c99bc2c61a414c11f164e491
SHA256

72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4
SHA512

b31bc979b5cdf21e448a8d31d606476876da939eb034c0c71f44731e4959c9c3e6ab2a701455d8349c847b13709aded47ba77749122ff4b796b095801c0e765e
SSDEEP

3072:XogIIJPyeiKKop5TosVv/jKufybA2d26csLGVoQF9Wu:Xogu8VNosZ/jud2lWu

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
1692	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.qq5.com/?gg"	72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1664	72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: 33	1532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1532	AUDIODG.EXE
Token: 33	1532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1532	AUDIODG.EXE
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1972	1664	72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe	28
PID 1664 wrote to memory of 1972	1664	72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe	28
PID 1664 wrote to memory of 1972	1664	72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe	28
PID 1664 wrote to memory of 1972	1664	72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe	28
PID 1664 wrote to memory of 1692	1664	72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe	31
PID 1664 wrote to memory of 1692	1664	72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe	31
PID 1664 wrote to memory of 1692	1664	72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe	31
PID 1664 wrote to memory of 1692	1664	72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe	31

C:\Users\Admin\AppData\Local\Temp\72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe
"C:\Users\Admin\AppData\Local\Temp\72b3e6909fec6e4c5a8b54fb34f62057e14658872157ccaf4ad6541833f818c4.exe"
1⤵
- Drops file in Drivers directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Modifies Installed Components in the registry
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\yyyy.bat
  2⤵
  - Deletes itself
  PID:1692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yyyy

Filesize
176KB

MD5
6eb23c7e6db50b38471251b3046e17a0

SHA1
2a957f3d7b726e08db4d4b8768352d334650777b

SHA256
2e21a09726f43b3685cd0f7e9689c56b7a2e6d496edad56d5e2115e58897480d

SHA512
0cc84e346440a5009c0da1a7807f3ad070f73e63d6919bc4b4fce2c8e98afd2368274ed1533ca22a5c4beb058f3812c56a81b2aa059bc16fb64f1b5571c7d6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyyy.bat

Filesize
337B

MD5
cad0ad058a01402942c90fc351e44a90

SHA1
578e70c3e793934e3673cbd24e49810048a21c83

SHA256
5cb09abe8213c1b44827fd894aba8f5b7b714aeccf6a8959cd2da84a39b0429b

SHA512
e51e8b49e1d2055ad18b30f2f5d7cfb47e900c5427396d18897e2ef1b464b71a95c64d53fd6584b6483f24799667e337f1b9a15c3dd4f11e8dabb6ab79aebe37

Download Submit
memory/1664-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1692-57-0x0000000000000000-mapping.dmp

Download
memory/1972-55-0x0000000000000000-mapping.dmp

Download
memory/1972-56-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

Filesize
8KB

Download
memory/1972-61-0x0000000004290000-0x00000000042A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads