71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc

General

Target

71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe
Size

2.0MB
MD5

7061d52e07d41a5104ff28ecf87b3cce
SHA1

bdde3bced2af620749e502b1b299923cd053eaea
SHA256

71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc
SHA512

8410af8e52fe650ea2d7f297bffe2c6f0728f775c26483821ac90842b62342348764e042565bf5d81116107042b88de8b6d3d585b2e5f8ce655bef53bb8c0204
SSDEEP

49152:MCjQQ4KUiKwhtxZrd3XKp14+e/D06dc+Ar:M3KUAV7HS0Q1r

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1664	AYE.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe
1664	AYE.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	AYE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AYE Start = "C:\\Windows\\SysWOW64\\WAAWOU\\AYE.exe"	AYE.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WAAWOU\	AYE.exe
File created	C:\Windows\SysWOW64\WAAWOU\AYE.exe	71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe
File created	C:\Windows\SysWOW64\WAAWOU\AYE.00	71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe
File created	C:\Windows\SysWOW64\WAAWOU\AYE.01	71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe
File created	C:\Windows\SysWOW64\WAAWOU\AYE.02	71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1664	AYE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1664	AYE.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1744	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1744	AUDIODG.EXE
Token: 33	1744	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1744	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1664	AYE.exe
1664	AYE.exe
1664	AYE.exe
1664	AYE.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1664	1688	71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe	27
PID 1688 wrote to memory of 1664	1688	71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe	27
PID 1688 wrote to memory of 1664	1688	71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe	27
PID 1688 wrote to memory of 1664	1688	71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe	27

C:\Users\Admin\AppData\Local\Temp\71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe
"C:\Users\Admin\AppData\Local\Temp\71b773b3acb91425a1c12cb0688b30cabaf6c7684d1d9cf8adee9cd8977aeccc.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\WAAWOU\AYE.exe
  "C:\Windows\system32\WAAWOU\AYE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WAAWOU\AYE.00

Filesize
2KB

MD5
5575e951e0359d6cf3b2e3f48db5d4ca

SHA1
f2b2cb540db730a985850bbe0af9b3eb0d9a12cd

SHA256
37d5975fa33b995b69e9d49071f1961fe294885c7c9ed7c917ce97c13186fe77

SHA512
840321f761b72d51de48ec6808c3fcd65d06f732b1abd2dbff8310460b5e3307f824489cff255e3e943923b935cf918dffaf07786a631db487d46fb2f1c9fc6a

Download Submit
C:\Windows\SysWOW64\WAAWOU\AYE.01

Filesize
80KB

MD5
3fde7010963776dd7a80455e22099da1

SHA1
2e1d3fc20ca85dbc2f590fac3d105b18de57db9a

SHA256
74851c8cb16e499c54533a222d11667be72ebb16cf0fdc1127f47fcd4116e5c8

SHA512
3ff5ff61bed5c394d4b8253ea4b81bca3df075105744915f1b656b2ed7bee027613a1631bb84b2a40b52a808005efcab0262b44eabb523f86ecd2c321b7a370e

Download Submit
C:\Windows\SysWOW64\WAAWOU\AYE.exe

Filesize
2.3MB

MD5
4c78cd7e21469c2a2351c2d2041765c4

SHA1
50cb543a306da43fb8d287dcea58e57ceb333df8

SHA256
534011ceeb871edc782bea3fa4d9cb1e9ef250e43d720eecbf0c1ef1fbca3f12

SHA512
52ea67a1a62b55b6e88848db71df4e0fa7f4c38a5ea712ea515bde013fe19ee38e540d3df54cd60318f0bca0ee865c9e709f7a38d1a4a3ad8df547487f8c04d4

Download Submit
\Windows\SysWOW64\WAAWOU\AYE.01

Filesize
80KB

MD5
3fde7010963776dd7a80455e22099da1

SHA1
2e1d3fc20ca85dbc2f590fac3d105b18de57db9a

SHA256
74851c8cb16e499c54533a222d11667be72ebb16cf0fdc1127f47fcd4116e5c8

SHA512
3ff5ff61bed5c394d4b8253ea4b81bca3df075105744915f1b656b2ed7bee027613a1631bb84b2a40b52a808005efcab0262b44eabb523f86ecd2c321b7a370e

Download Submit
\Windows\SysWOW64\WAAWOU\AYE.exe

Filesize
2.3MB

MD5
4c78cd7e21469c2a2351c2d2041765c4

SHA1
50cb543a306da43fb8d287dcea58e57ceb333df8

SHA256
534011ceeb871edc782bea3fa4d9cb1e9ef250e43d720eecbf0c1ef1fbca3f12

SHA512
52ea67a1a62b55b6e88848db71df4e0fa7f4c38a5ea712ea515bde013fe19ee38e540d3df54cd60318f0bca0ee865c9e709f7a38d1a4a3ad8df547487f8c04d4

Download Submit
memory/1664-56-0x0000000000000000-mapping.dmp

Download
memory/1664-63-0x00000000003D0000-0x00000000003E9000-memory.dmp

Filesize
100KB

Download
memory/1664-64-0x00000000003D0000-0x00000000003E9000-memory.dmp

Filesize
100KB

Download
memory/1688-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1688-59-0x0000000000820000-0x0000000000A23000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing