Analysis
-
max time kernel
49s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-10-2022 19:14
Static task
static1
Behavioral task
behavioral1
Sample
f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe
Resource
win10v2004-20220812-en
General
-
Target
f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe
-
Size
631KB
-
MD5
90043c13ad9a6ca17b5ec85617c964dd
-
SHA1
8baadebcefbc250aa8a8bf55dbdaf83d9f7fc4fb
-
SHA256
f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380
-
SHA512
a8e98003c709c6ae110a1c5d9b74d5e3b76633eaf3d487b50fa7905f669097aa87dd53b6f769e20f79d2cf84c5bb8570c23e302fe2f09ed76f870742f9848890
-
SSDEEP
12288:z7c14hizuzg7rwYK78qdHcdfgdzrj1veK5EyNL4u7iWNk1cOI85:k6QzoYKiBQ3jEK3NLlvk1c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 524 WindowsSecurityUpdate.exe -
resource yara_rule behavioral1/memory/1032-55-0x0000000000400000-0x0000000000517000-memory.dmp upx behavioral1/memory/1032-59-0x0000000000400000-0x0000000000517000-memory.dmp upx behavioral1/memory/524-73-0x0000000000400000-0x0000000000517000-memory.dmp upx behavioral1/memory/524-74-0x0000000000400000-0x0000000000517000-memory.dmp upx behavioral1/memory/1032-75-0x0000000000400000-0x0000000000517000-memory.dmp upx -
Loads dropped DLL 6 IoCs
pid Process 1032 f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe 1032 f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe 1032 f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe 524 WindowsSecurityUpdate.exe 524 WindowsSecurityUpdate.exe 524 WindowsSecurityUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1032 f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2044 AUDIODG.EXE Token: 33 2044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2044 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1032 wrote to memory of 524 1032 f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe 29 PID 1032 wrote to memory of 524 1032 f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe 29 PID 1032 wrote to memory of 524 1032 f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe 29 PID 1032 wrote to memory of 524 1032 f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe 29 PID 1032 wrote to memory of 524 1032 f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe 29 PID 1032 wrote to memory of 524 1032 f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe 29 PID 1032 wrote to memory of 524 1032 f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe"C:\Users\Admin\AppData\Local\Temp\f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Roaming\HfDRRR9D\WindowsSecurityUpdate.exe"C:\Users\Admin\AppData\Roaming\HfDRRR9D\WindowsSecurityUpdate.exe" -services2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5581⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
631KB
MD590043c13ad9a6ca17b5ec85617c964dd
SHA18baadebcefbc250aa8a8bf55dbdaf83d9f7fc4fb
SHA256f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380
SHA512a8e98003c709c6ae110a1c5d9b74d5e3b76633eaf3d487b50fa7905f669097aa87dd53b6f769e20f79d2cf84c5bb8570c23e302fe2f09ed76f870742f9848890
-
Filesize
631KB
MD590043c13ad9a6ca17b5ec85617c964dd
SHA18baadebcefbc250aa8a8bf55dbdaf83d9f7fc4fb
SHA256f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380
SHA512a8e98003c709c6ae110a1c5d9b74d5e3b76633eaf3d487b50fa7905f669097aa87dd53b6f769e20f79d2cf84c5bb8570c23e302fe2f09ed76f870742f9848890
-
Filesize
631KB
MD590043c13ad9a6ca17b5ec85617c964dd
SHA18baadebcefbc250aa8a8bf55dbdaf83d9f7fc4fb
SHA256f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380
SHA512a8e98003c709c6ae110a1c5d9b74d5e3b76633eaf3d487b50fa7905f669097aa87dd53b6f769e20f79d2cf84c5bb8570c23e302fe2f09ed76f870742f9848890
-
Filesize
631KB
MD590043c13ad9a6ca17b5ec85617c964dd
SHA18baadebcefbc250aa8a8bf55dbdaf83d9f7fc4fb
SHA256f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380
SHA512a8e98003c709c6ae110a1c5d9b74d5e3b76633eaf3d487b50fa7905f669097aa87dd53b6f769e20f79d2cf84c5bb8570c23e302fe2f09ed76f870742f9848890
-
Filesize
631KB
MD590043c13ad9a6ca17b5ec85617c964dd
SHA18baadebcefbc250aa8a8bf55dbdaf83d9f7fc4fb
SHA256f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380
SHA512a8e98003c709c6ae110a1c5d9b74d5e3b76633eaf3d487b50fa7905f669097aa87dd53b6f769e20f79d2cf84c5bb8570c23e302fe2f09ed76f870742f9848890
-
Filesize
631KB
MD590043c13ad9a6ca17b5ec85617c964dd
SHA18baadebcefbc250aa8a8bf55dbdaf83d9f7fc4fb
SHA256f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380
SHA512a8e98003c709c6ae110a1c5d9b74d5e3b76633eaf3d487b50fa7905f669097aa87dd53b6f769e20f79d2cf84c5bb8570c23e302fe2f09ed76f870742f9848890
-
Filesize
631KB
MD590043c13ad9a6ca17b5ec85617c964dd
SHA18baadebcefbc250aa8a8bf55dbdaf83d9f7fc4fb
SHA256f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380
SHA512a8e98003c709c6ae110a1c5d9b74d5e3b76633eaf3d487b50fa7905f669097aa87dd53b6f769e20f79d2cf84c5bb8570c23e302fe2f09ed76f870742f9848890
-
Filesize
631KB
MD590043c13ad9a6ca17b5ec85617c964dd
SHA18baadebcefbc250aa8a8bf55dbdaf83d9f7fc4fb
SHA256f4b935edaaea4ebd3a681e7a9e619765abb46af0c218918b94eba276df66c380
SHA512a8e98003c709c6ae110a1c5d9b74d5e3b76633eaf3d487b50fa7905f669097aa87dd53b6f769e20f79d2cf84c5bb8570c23e302fe2f09ed76f870742f9848890