05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe
Size

286KB
MD5

7c72ad75a288a697d57feea2de0bf070
SHA1

a92125d0ec6307faf88c744d83cb6d48529f6e9b
SHA256

05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3
SHA512

335fc4d510daccb138f74a740ce680ac13cf3c624a69692ddcde1662e70835c00f4fc1f0a3f8bf77e0297151c6978346c0dc8f6f65bf3b873ff87217d6e28a7e
SSDEEP

3072:SgXdZt9P6D3XJnCQPwtecPC/PPgLfXKfKbYOX0Hf5X6jImoe/ss6kRC4SQ461wjC:Se34kQPwnPC/ngLyPB7NkRx12jK9Inqh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1936	setup.exe

Loads dropped DLL 10 IoCs

pid	Process
1720	05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe
1720	05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe
1720	05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe
1720	05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	364	AUDIODG.EXE
Token: 33	364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	364	AUDIODG.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1936	1720	05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe	26
PID 1720 wrote to memory of 1936	1720	05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe	26
PID 1720 wrote to memory of 1936	1720	05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe	26
PID 1720 wrote to memory of 1936	1720	05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe	26
PID 1720 wrote to memory of 1936	1720	05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe	26
PID 1720 wrote to memory of 1936	1720	05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe	26
PID 1720 wrote to memory of 1936	1720	05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe	26

C:\Users\Admin\AppData\Local\Temp\05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe
"C:\Users\Admin\AppData\Local\Temp\05ad36aafd7b5da07aa7a458f4fe8d0b3d49901eb4db7ad05f0c68f9a2c878f3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\nsj45AA.tmp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\nsj45AA.tmp\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x530
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj45AA.tmp\setup.exe

Filesize
212KB

MD5
be867cc061803cc072f681278e7e89e8

SHA1
605ca76cc2ff9e95eca949657ccc2c6a0e82f8e0

SHA256
25183980ed7be29e5abc9ee1b038ca4c5ec9b9b884383fb35f305b149a3d6f2b

SHA512
0efe314ca2e0682a42cb0c034e7bb0071ef5f1ad0ae7d4fde560aa53ef529cb9092b7ec96ecc233db16a7cd5867297924534d07b4aa30989b086a1c4380365cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj45AA.tmp\setup.exe

Filesize
212KB

MD5
be867cc061803cc072f681278e7e89e8

SHA1
605ca76cc2ff9e95eca949657ccc2c6a0e82f8e0

SHA256
25183980ed7be29e5abc9ee1b038ca4c5ec9b9b884383fb35f305b149a3d6f2b

SHA512
0efe314ca2e0682a42cb0c034e7bb0071ef5f1ad0ae7d4fde560aa53ef529cb9092b7ec96ecc233db16a7cd5867297924534d07b4aa30989b086a1c4380365cf

Download Submit
\Users\Admin\AppData\Local\Temp\HPQMUMXavWdYjkJAebCw.DLL

Filesize
12KB

MD5
e6144fb36c1fdc6ba1d1afa9632588f8

SHA1
c4964264c6600fde210a644b639e2ea25ecb67e6

SHA256
b141412d0611571df381c26186b3fc438c725d6e45ad66fd76413322c17a9ac6

SHA512
400ca4e2ad987a88429da21d795f7365bd230ed4225e19b7841dcc09606e0afde2f3cc31aa8be4ee83dd3c6b0339cb2c13953523bdc8d2f547d953c6c6c8d339

Download Submit
\Users\Admin\AppData\Local\Temp\NMsILLVxluDVorPgdpoR.DLL

Filesize
35KB

MD5
76a9565c5f51775719eebda1f25530a5

SHA1
332feae4dba6b4a93bebea7a881a0fa758891091

SHA256
a1a7c4f74d4fe7784ed03709e5f946b94cc10a64e3ae0ad5a9a3bece9a8a2c0a

SHA512
79c9af704d1626cad9d44470585baf8d5f082b5d77c285fc6ae4862e99439f838fe9b1e745f8f2487fa64d5d7304954f66d0cef222db4dc9095a7294172094e9

Download Submit
\Users\Admin\AppData\Local\Temp\jSGzUcaqhS.DLL

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
\Users\Admin\AppData\Local\Temp\nsj45AA.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsj45AA.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsj45AA.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj45AA.tmp\setup.exe

Filesize
212KB

MD5
be867cc061803cc072f681278e7e89e8

SHA1
605ca76cc2ff9e95eca949657ccc2c6a0e82f8e0

SHA256
25183980ed7be29e5abc9ee1b038ca4c5ec9b9b884383fb35f305b149a3d6f2b

SHA512
0efe314ca2e0682a42cb0c034e7bb0071ef5f1ad0ae7d4fde560aa53ef529cb9092b7ec96ecc233db16a7cd5867297924534d07b4aa30989b086a1c4380365cf

Download Submit
\Users\Admin\AppData\Local\Temp\nsj45AA.tmp\setup.exe

Filesize
212KB

MD5
be867cc061803cc072f681278e7e89e8

SHA1
605ca76cc2ff9e95eca949657ccc2c6a0e82f8e0

SHA256
25183980ed7be29e5abc9ee1b038ca4c5ec9b9b884383fb35f305b149a3d6f2b

SHA512
0efe314ca2e0682a42cb0c034e7bb0071ef5f1ad0ae7d4fde560aa53ef529cb9092b7ec96ecc233db16a7cd5867297924534d07b4aa30989b086a1c4380365cf

Download Submit
\Users\Admin\AppData\Local\Temp\nsj45AA.tmp\setup.exe

Filesize
212KB

MD5
be867cc061803cc072f681278e7e89e8

SHA1
605ca76cc2ff9e95eca949657ccc2c6a0e82f8e0

SHA256
25183980ed7be29e5abc9ee1b038ca4c5ec9b9b884383fb35f305b149a3d6f2b

SHA512
0efe314ca2e0682a42cb0c034e7bb0071ef5f1ad0ae7d4fde560aa53ef529cb9092b7ec96ecc233db16a7cd5867297924534d07b4aa30989b086a1c4380365cf

Download Submit
\Users\Admin\AppData\Local\Temp\nsj45AA.tmp\setup.exe

Filesize
212KB

MD5
be867cc061803cc072f681278e7e89e8

SHA1
605ca76cc2ff9e95eca949657ccc2c6a0e82f8e0

SHA256
25183980ed7be29e5abc9ee1b038ca4c5ec9b9b884383fb35f305b149a3d6f2b

SHA512
0efe314ca2e0682a42cb0c034e7bb0071ef5f1ad0ae7d4fde560aa53ef529cb9092b7ec96ecc233db16a7cd5867297924534d07b4aa30989b086a1c4380365cf

Download Submit
memory/1720-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1720-59-0x00000000024F0000-0x0000000002569000-memory.dmp

Filesize
484KB

Download
memory/1936-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1936-71-0x0000000000230000-0x00000000002A9000-memory.dmp

Filesize
484KB

Download
memory/1936-72-0x0000000002920000-0x0000000002933000-memory.dmp

Filesize
76KB

Download
memory/1936-73-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1936-74-0x0000000002920000-0x0000000002933000-memory.dmp

Filesize
76KB

Download