f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b

General

Target

f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe
Size

1.6MB
MD5

642350a939ff8aa8ecea090f8221ac20
SHA1

b4c893ad3ddf50ebd8d98f3c53e615d946fc866f
SHA256

f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b
SHA512

f548cd2ff623106797b655964dd105bd06e464eea9a59bd388245d4b743176012e1dcd0e3df9f7ed9759c5a6d8fadc736815539156544331a972d7da9b4d645e
SSDEEP

24576:udZe+jWVZNqWDS/bgpunWA+75j69cuHst5aKf+PuG8IIi4hZphbyc:uH+PoWDUgzhu9cuMt4vTaiqZe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ServerMinecraft.exe

pid process

1280 ServerMinecraft.exe
Loads dropped DLL 2 IoCs

Processes:

f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exedw20.exe

pid process

1648 f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe
1480 dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1984 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1984 vlc.exe

pid	process
1280	ServerMinecraft.exe

pid	process
1648	f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe
1480	dw20.exe

pid	process
1984	vlc.exe

pid	process
1984	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEvlc.exe

description	pid	process
Token: 33	1688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1688	AUDIODG.EXE
Token: 33	1688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1688	AUDIODG.EXE
Token: 33	1984	vlc.exe
Token: SeIncBasePriorityPrivilege	1984	vlc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

vlc.exe

pid process

1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

vlc.exe

pid process

1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
1984 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1984 vlc.exe

pid	process
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe

pid	process
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe

pid	process
1984	vlc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exeServerMinecraft.exe

description	pid	process	target process
PID 1648 wrote to memory of 1280	1648	f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe	ServerMinecraft.exe
PID 1648 wrote to memory of 1280	1648	f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe	ServerMinecraft.exe
PID 1648 wrote to memory of 1280	1648	f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe	ServerMinecraft.exe
PID 1648 wrote to memory of 1280	1648	f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe	ServerMinecraft.exe
PID 1648 wrote to memory of 1984	1648	f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe	vlc.exe
PID 1648 wrote to memory of 1984	1648	f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe	vlc.exe
PID 1648 wrote to memory of 1984	1648	f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe	vlc.exe
PID 1648 wrote to memory of 1984	1648	f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe	vlc.exe
PID 1280 wrote to memory of 1480	1280	ServerMinecraft.exe	dw20.exe
PID 1280 wrote to memory of 1480	1280	ServerMinecraft.exe	dw20.exe
PID 1280 wrote to memory of 1480	1280	ServerMinecraft.exe	dw20.exe
PID 1280 wrote to memory of 1480	1280	ServerMinecraft.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe
"C:\Users\Admin\AppData\Local\Temp\f2acfb304c1a01d708a90d1c7a707562b80379d0f189e39c786ada78ccebbd7b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\ServerMinecraft.exe
"C:\Users\Admin\AppData\Local\Temp\ServerMinecraft.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 396
3⤵
- Loads dropped DLL
PID:1480

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\ÊæÒíä.mp3"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ServerMinecraft.exe
Filesize
49KB

MD5
0778cbc7e472f450c2bf8855719b5ca4

SHA1
dbc48c862eb6dfddc9007d246a64c1e11b063969

SHA256
28cd0ae4cfe7a50d75e5e866d36a4c174065407f24e23c7c631bc130f80b288d

SHA512
c964b46d8a033eed5dc85a6e6f55f51c7e07088121b0bd4ab69a3b83593473e528c3aef8286b8b7f5add14435c307d92fdd08d2c09188541132aa6f57d70873d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ServerMinecraft.exe
Filesize
49KB

MD5
0778cbc7e472f450c2bf8855719b5ca4

SHA1
dbc48c862eb6dfddc9007d246a64c1e11b063969

SHA256
28cd0ae4cfe7a50d75e5e866d36a4c174065407f24e23c7c631bc130f80b288d

SHA512
c964b46d8a033eed5dc85a6e6f55f51c7e07088121b0bd4ab69a3b83593473e528c3aef8286b8b7f5add14435c307d92fdd08d2c09188541132aa6f57d70873d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÊæÒíä.mp3
Filesize
1.4MB

MD5
89b73a34ea5634807f5b7c36e9ed3755

SHA1
01a12b8ca66adb5000a1dc3f23e64fe521a5f154

SHA256
76e673f5161952de32688c1bd59c0ec2cc84475d8cc790c38be1056057e09a77

SHA512
ce0ed525b2c6b454ac8477c6c963532f97434bf29881f136312106b4631fa331e3142bfbfe62d8cba63b8cdcd886d617391fe89ceb8df84cf9aec3056c1cd3d4

Download Submit
\Users\Admin\AppData\Local\Temp\ServerMinecraft.exe
Filesize
49KB

MD5
0778cbc7e472f450c2bf8855719b5ca4

SHA1
dbc48c862eb6dfddc9007d246a64c1e11b063969

SHA256
28cd0ae4cfe7a50d75e5e866d36a4c174065407f24e23c7c631bc130f80b288d

SHA512
c964b46d8a033eed5dc85a6e6f55f51c7e07088121b0bd4ab69a3b83593473e528c3aef8286b8b7f5add14435c307d92fdd08d2c09188541132aa6f57d70873d

Download Submit
\Users\Admin\AppData\Local\Temp\ServerMinecraft.exe
Filesize
49KB

MD5
0778cbc7e472f450c2bf8855719b5ca4

SHA1
dbc48c862eb6dfddc9007d246a64c1e11b063969

SHA256
28cd0ae4cfe7a50d75e5e866d36a4c174065407f24e23c7c631bc130f80b288d

SHA512
c964b46d8a033eed5dc85a6e6f55f51c7e07088121b0bd4ab69a3b83593473e528c3aef8286b8b7f5add14435c307d92fdd08d2c09188541132aa6f57d70873d

Download Submit
memory/1280-56-0x0000000000000000-mapping.dmp

Download
memory/1280-66-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1280-67-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-61-0x0000000000000000-mapping.dmp

Download
memory/1648-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1984-59-0x0000000000000000-mapping.dmp

Download
memory/1984-62-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing