072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9

General

Target

072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9.exe
Size

484KB
MD5

821c00aa113eec1bad3d4e54e2972d90
SHA1

3990bddcf34ad33a522ad51df6747054b2247ea2
SHA256

072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9
SHA512

97ef34c352eb5ca1a6efd63dd74193031a3881e6a2fcedb0c6464a8c9efdf33341b67517ca7e2b14d25a9dc9440321afbf76c2546a5ea2f66af5e2be6355a52c
SSDEEP

768:46lJ40YEiiCGMGHG7e01yzx611pvy9BtNQJt/2e4fYsPI:Pk0Yhyr93NQJtZ36I

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
940	audiodh.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN\Windows Graphisolierung für Audiohdgeräte = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\audiodh.exe"	072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Graphisolierung für Audiohdgeräte = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\audiodh.exe"	072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	audiodh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	audiodh.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 940	1980	072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9.exe	28
PID 1980 wrote to memory of 940	1980	072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9.exe	28
PID 1980 wrote to memory of 940	1980	072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9.exe	28

C:\Users\Admin\AppData\Local\Temp\072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9.exe
"C:\Users\Admin\AppData\Local\Temp\072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9.exe"
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiodh.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiodh.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\audiodh.exe

Filesize
484KB

MD5
9bb1d35876e7348746ecf4e53cdab5df

SHA1
73668b318b1ba53cf1b7a8cff974158d8cfefc40

SHA256
7b16d4a8c4333d60cbd9dd134a48161a92081f55d9678d4cdc44fb6c497662dd

SHA512
06e23144b8a6ee64bd50d7169c7dd4098652e393a4c4b53ad262b036c22ebc3dc4a298667de257104f395653fa904a5af45b45969a653a05e76cd6a0c4efc3fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiodh.exe

Filesize
484KB

MD5
821c00aa113eec1bad3d4e54e2972d90

SHA1
3990bddcf34ad33a522ad51df6747054b2247ea2

SHA256
072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9

SHA512
97ef34c352eb5ca1a6efd63dd74193031a3881e6a2fcedb0c6464a8c9efdf33341b67517ca7e2b14d25a9dc9440321afbf76c2546a5ea2f66af5e2be6355a52c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiodh.exe

Filesize
484KB

MD5
821c00aa113eec1bad3d4e54e2972d90

SHA1
3990bddcf34ad33a522ad51df6747054b2247ea2

SHA256
072a5598ea9b1b9f138815318055adc633968f1c84aecf3f86e4f4ee06ee51c9

SHA512
97ef34c352eb5ca1a6efd63dd74193031a3881e6a2fcedb0c6464a8c9efdf33341b67517ca7e2b14d25a9dc9440321afbf76c2546a5ea2f66af5e2be6355a52c

Download Submit
memory/940-60-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmp

Filesize
10.1MB

Download
memory/940-61-0x000007FEF2AA0000-0x000007FEF3B36000-memory.dmp

Filesize
16.6MB

Download
memory/940-62-0x0000000000A1B000-0x0000000000A3A000-memory.dmp

Filesize
124KB

Download
memory/940-64-0x0000000000A1B000-0x0000000000A3A000-memory.dmp

Filesize
124KB

Download
memory/1980-54-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmp

Filesize
10.1MB

Download
memory/1980-55-0x000007FEF2C30000-0x000007FEF3CC6000-memory.dmp

Filesize
16.6MB

Download
memory/1980-59-0x0000000000BDB000-0x0000000000BFA000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing