74e1d35bb890c14983bc303fd7a49bb0d89ea8a4653993a74d49f7c5080ac22c

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 01:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74e1d35bb890c14983bc303fd7a49bb0d89ea8a4653993a74d49f7c5080ac22c.exe
Size

782KB
MD5

3680ec233c95b6f8275a306208c472a0
SHA1

45e89a6d0b9bb2f64929d54c383ef5872d2a76b0
SHA256

74e1d35bb890c14983bc303fd7a49bb0d89ea8a4653993a74d49f7c5080ac22c
SHA512

caccae043d165b013f85a3e47e12885615fb41b2053fa0163982f2ff4d5a50db587d0ccdc9c03cb59c67a51b61c067309fc9e798e8b00c325c17373d2b7ac62e
SSDEEP

12288:lW95DzBLfJ5kr7os5AymE8UBpF3pui/WeXpf+RJIWs1YlKwpavRU:ludLfJ5w775xmE8UBp+i/Lmw12Jpa5U

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3592	1610.exe
1268	2957.exe
1468	2957.exe

Loads dropped DLL 1 IoCs

pid	Process
1468	2957.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1268 set thread context of 1468	1268	2957.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers system information 1 TTPs 5 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1164	systeminfo.exe
4088	systeminfo.exe
2032	systeminfo.exe
2180	systeminfo.exe
3816	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3604	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3604	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1468	2957.exe
1468	2957.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3592	1584	74e1d35bb890c14983bc303fd7a49bb0d89ea8a4653993a74d49f7c5080ac22c.exe	83
PID 1584 wrote to memory of 3592	1584	74e1d35bb890c14983bc303fd7a49bb0d89ea8a4653993a74d49f7c5080ac22c.exe	83
PID 1584 wrote to memory of 3592	1584	74e1d35bb890c14983bc303fd7a49bb0d89ea8a4653993a74d49f7c5080ac22c.exe	83
PID 3592 wrote to memory of 2420	3592	1610.exe	84
PID 3592 wrote to memory of 2420	3592	1610.exe	84
PID 3592 wrote to memory of 2420	3592	1610.exe	84
PID 3592 wrote to memory of 2420	3592	1610.exe	84
PID 3592 wrote to memory of 2276	3592	1610.exe	85
PID 3592 wrote to memory of 2276	3592	1610.exe	85
PID 3592 wrote to memory of 2276	3592	1610.exe	85
PID 1584 wrote to memory of 1268	1584	74e1d35bb890c14983bc303fd7a49bb0d89ea8a4653993a74d49f7c5080ac22c.exe	87
PID 1584 wrote to memory of 1268	1584	74e1d35bb890c14983bc303fd7a49bb0d89ea8a4653993a74d49f7c5080ac22c.exe	87
PID 1584 wrote to memory of 1268	1584	74e1d35bb890c14983bc303fd7a49bb0d89ea8a4653993a74d49f7c5080ac22c.exe	87
PID 2276 wrote to memory of 2032	2276	CMD.exe	88
PID 2276 wrote to memory of 2032	2276	CMD.exe	88
PID 2276 wrote to memory of 2032	2276	CMD.exe	88
PID 1268 wrote to memory of 1468	1268	2957.exe	89
PID 1268 wrote to memory of 1468	1268	2957.exe	89
PID 1268 wrote to memory of 1468	1268	2957.exe	89
PID 1268 wrote to memory of 1468	1268	2957.exe	89
PID 1268 wrote to memory of 1468	1268	2957.exe	89
PID 1268 wrote to memory of 1468	1268	2957.exe	89
PID 1268 wrote to memory of 1468	1268	2957.exe	89
PID 1268 wrote to memory of 1468	1268	2957.exe	89
PID 1268 wrote to memory of 1468	1268	2957.exe	89
PID 2276 wrote to memory of 2180	2276	CMD.exe	93
PID 2276 wrote to memory of 2180	2276	CMD.exe	93
PID 2276 wrote to memory of 2180	2276	CMD.exe	93
PID 2276 wrote to memory of 3816	2276	CMD.exe	94
PID 2276 wrote to memory of 3816	2276	CMD.exe	94
PID 2276 wrote to memory of 3816	2276	CMD.exe	94
PID 2276 wrote to memory of 1164	2276	CMD.exe	95
PID 2276 wrote to memory of 1164	2276	CMD.exe	95
PID 2276 wrote to memory of 1164	2276	CMD.exe	95
PID 2276 wrote to memory of 4088	2276	CMD.exe	96
PID 2276 wrote to memory of 4088	2276	CMD.exe	96
PID 2276 wrote to memory of 4088	2276	CMD.exe	96

C:\Users\Admin\AppData\Local\Temp\74e1d35bb890c14983bc303fd7a49bb0d89ea8a4653993a74d49f7c5080ac22c.exe
"C:\Users\Admin\AppData\Local\Temp\74e1d35bb890c14983bc303fd7a49bb0d89ea8a4653993a74d49f7c5080ac22c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\1610.exe
  C:\Users\Admin\AppData\Local\Temp\1610.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe shell32.dll,Control_RunDLL
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && DEL "C:\Users\Admin\AppData\Local\Temp\1610.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\systeminfo.exe
      SYSTEMINFO
      4⤵
      Gathers system information
      PID:2032
  - - C:\Windows\SysWOW64\systeminfo.exe
      SYSTEMINFO
      4⤵
      Gathers system information
      PID:2180
  - - C:\Windows\SysWOW64\systeminfo.exe
      SYSTEMINFO
      4⤵
      Gathers system information
      PID:3816
  - - C:\Windows\SysWOW64\systeminfo.exe
      SYSTEMINFO
      4⤵
      Gathers system information
      PID:1164
  - - C:\Windows\SysWOW64\systeminfo.exe
      SYSTEMINFO
      4⤵
      Gathers system information
      PID:4088
- C:\Users\Admin\AppData\Local\Temp\2957.exe
  C:\Users\Admin\AppData\Local\Temp\2957.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\2957.exe
    C:\Users\Admin\AppData\Local\Temp\2957.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1468

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1610.exe

Filesize
548KB

MD5
2a00bdf00d0bd8c03235a6df6ea17638

SHA1
12f600b3d1d666aa7c68b78df05353733555c7c8

SHA256
90ed84c881436fcb64d34800f7962017a8a1a2580675ea9c4534eea9f9bf662a

SHA512
1c953e55b819435113eb8277cab4e245fc19dd6b233e04719afb4161fcaff99755dbb43a251ed25464f726d1861014d9b7f0bec14d335d28961576b792980b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1610.exe

Filesize
548KB

MD5
2a00bdf00d0bd8c03235a6df6ea17638

SHA1
12f600b3d1d666aa7c68b78df05353733555c7c8

SHA256
90ed84c881436fcb64d34800f7962017a8a1a2580675ea9c4534eea9f9bf662a

SHA512
1c953e55b819435113eb8277cab4e245fc19dd6b233e04719afb4161fcaff99755dbb43a251ed25464f726d1861014d9b7f0bec14d335d28961576b792980b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2957.exe

Filesize
548KB

MD5
189c8921725a013eaeec26ca27eae280

SHA1
adf41ff6c04e5973d0e343734298be9091eafc8a

SHA256
808982b20ac851976ef5d8113e05a9f94629175df553d400f5296868b908d2f0

SHA512
2c0848a23d96dc3359c38a11cd4357f00435b968d05991c121dc2a182a74eb8eeefcf23d1b5e1dbfe1ff0d17f976e3f47142c73e8c79d170d3d6f88b2a6db5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2957.exe

Filesize
548KB

MD5
189c8921725a013eaeec26ca27eae280

SHA1
adf41ff6c04e5973d0e343734298be9091eafc8a

SHA256
808982b20ac851976ef5d8113e05a9f94629175df553d400f5296868b908d2f0

SHA512
2c0848a23d96dc3359c38a11cd4357f00435b968d05991c121dc2a182a74eb8eeefcf23d1b5e1dbfe1ff0d17f976e3f47142c73e8c79d170d3d6f88b2a6db5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2957.exe

Filesize
548KB

MD5
189c8921725a013eaeec26ca27eae280

SHA1
adf41ff6c04e5973d0e343734298be9091eafc8a

SHA256
808982b20ac851976ef5d8113e05a9f94629175df553d400f5296868b908d2f0

SHA512
2c0848a23d96dc3359c38a11cd4357f00435b968d05991c121dc2a182a74eb8eeefcf23d1b5e1dbfe1ff0d17f976e3f47142c73e8c79d170d3d6f88b2a6db5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmABB6.tmp

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
memory/1268-146-0x00000000020E0000-0x0000000002142000-memory.dmp

Filesize
392KB

Download
memory/1268-147-0x0000000000720000-0x0000000000725000-memory.dmp

Filesize
20KB

Download
memory/1468-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-158-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1468-157-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1468-155-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-150-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2420-144-0x0000000000BC0000-0x0000000000BC3000-memory.dmp

Filesize
12KB

Download
memory/2420-145-0x0000000000F80000-0x0000000000F87000-memory.dmp

Filesize
28KB

Download
memory/3592-138-0x00000000005E0000-0x00000000005E4000-memory.dmp

Filesize
16KB

Download
memory/3592-139-0x0000000000610000-0x0000000000617000-memory.dmp

Filesize
28KB

Download
memory/3592-137-0x0000000002140000-0x00000000021A2000-memory.dmp

Filesize
392KB

Download