91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe
Size

1.9MB
MD5

f5c3e32cbce263aec5629a332877697f
SHA1

6a2e9980ce7519e433f7ff8be546182eb5c49c2e
SHA256

91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399
SHA512

5badebcfe50c7793ac871ab7e45d85f49ae2190d0ace424aa08fd68a48165ad7eece887c9fc755ba97d4a68043ee63be78b172c6377b6b0ef97aa4dd29da9031
SSDEEP

49152:AvtVr2ppT2p45wmsx5GBkO8mcFR45Pi/ybTsvD/DX+y4onCYDoD5:O2XT2p22CkpmcFRoTTsvD/D+donCYUV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Server_se.exekeygen.execarss.exe

pid process

1152 Server_se.exe
1340 keygen.exe
1312 carss.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Server_se.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server_se.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server_se.exe

Loads dropped DLL 5 IoCs

Processes:

91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exeServer_se.execarss.exe

pid	process
1316	91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe
1316	91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe
1316	91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe
1152	Server_se.exe
1312	carss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 57 IoCs

Processes:

Server_se.exe

pid	process
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe

Drops file in Program Files directory 3 IoCs

Processes:

Server_se.exe

description	ioc	process
File created	C:\Program Files (x86)\wi240574453nd.temp	Server_se.exe
File created	C:\Program Files\Internet Explorer\carss.exe	Server_se.exe
File opened for modification	C:\Program Files\Internet Explorer\carss.exe	Server_se.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Server_se.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Server_se.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Server_se.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Server_se.execarss.exe

pid	process
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1152	Server_se.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe
1312	carss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 4048 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 4048 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe

pid process

1316 91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe

description	pid	process
Token: 33	4048	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4048	AUDIODG.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.execmd.execmd.exeServer_se.exe

description	pid	process	target process
PID 1316 wrote to memory of 2404	1316	91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe	cmd.exe
PID 1316 wrote to memory of 2404	1316	91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe	cmd.exe
PID 1316 wrote to memory of 2404	1316	91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe	cmd.exe
PID 1316 wrote to memory of 2320	1316	91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe	cmd.exe
PID 1316 wrote to memory of 2320	1316	91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe	cmd.exe
PID 1316 wrote to memory of 2320	1316	91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe	cmd.exe
PID 2404 wrote to memory of 1152	2404	cmd.exe	Server_se.exe
PID 2404 wrote to memory of 1152	2404	cmd.exe	Server_se.exe
PID 2404 wrote to memory of 1152	2404	cmd.exe	Server_se.exe
PID 2320 wrote to memory of 1340	2320	cmd.exe	keygen.exe
PID 2320 wrote to memory of 1340	2320	cmd.exe	keygen.exe
PID 2320 wrote to memory of 1340	2320	cmd.exe	keygen.exe
PID 1152 wrote to memory of 1312	1152	Server_se.exe	carss.exe
PID 1152 wrote to memory of 1312	1152	Server_se.exe	carss.exe
PID 1152 wrote to memory of 1312	1152	Server_se.exe	carss.exe

C:\Users\Admin\AppData\Local\Temp\91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe
"C:\Users\Admin\AppData\Local\Temp\91a9f326ea245a4713a9266c301a0f4c77e1977b7dd18cf5411530288ca1b399.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\\Server_se.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\Server_se.exe
C:\Users\Admin\AppData\Local\Temp\\Server_se.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152

C:\Program Files\Internet Explorer\carss.exe
"C:\Program Files\Internet Explorer\carss.exe" C:\WINDOWS\Temp\hx107.tmp CodeMain
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\\keygen.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Users\Admin\AppData\Local\Temp\\keygen.exe
3⤵
- Executes dropped EXE
PID:1340

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x308
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\carss.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Program Files\Internet Explorer\carss.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
97c8fe752e354b2945e4c593a87e4a8b

SHA1
03ab4c91535ecf14b13e0258f3a7be459a7957f9

SHA256
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

SHA512
af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
56KB

MD5
d63851f89c7ad4615565ca300e8b8e27

SHA1
1c9a6c1ce94581f85be0e99e2d370384b959578f

SHA256
0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

SHA512
623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
56KB

MD5
d63851f89c7ad4615565ca300e8b8e27

SHA1
1c9a6c1ce94581f85be0e99e2d370384b959578f

SHA256
0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

SHA512
623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEDE4F.tmp

Filesize
1024B

MD5
12871388b682b159ddd85545302a289d

SHA1
76b47377da188fcfddeefa0f940287f1cce9885d

SHA256
cc033f00e96cae1829e3a5c15150fe68a62f65440f1b158d9257370fbc488a9b

SHA512
d60953b62d08e52fa2860db257e2bdbaa97e7eff7007617857f7b30a76f7c7ba81f8444d313a6ad496adbbaede5af1661e72522046789bb9aee1340f7ac12c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server_se.exe

Filesize
1.2MB

MD5
60a792d195f6fdac19591eb4ce8d67cc

SHA1
e7479c5c212f8dbd5ea41c9724df80a81362139f

SHA256
5b6b50582785a002a5af91dd0000ea15add5f7b45a208224ff241a665b394c6a

SHA512
983f6e167faf5e2778a8e612d8c2a116b16454670917f01848e58a178f77ed662c05ba7141a6c028bc5750b50cfa5972055a36b6d2582e0d9d13f551cd0421ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server_se.exe

Filesize
1.2MB

MD5
60a792d195f6fdac19591eb4ce8d67cc

SHA1
e7479c5c212f8dbd5ea41c9724df80a81362139f

SHA256
5b6b50582785a002a5af91dd0000ea15add5f7b45a208224ff241a665b394c6a

SHA512
983f6e167faf5e2778a8e612d8c2a116b16454670917f01848e58a178f77ed662c05ba7141a6c028bc5750b50cfa5972055a36b6d2582e0d9d13f551cd0421ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
118KB

MD5
c5b14d9af1807566c10d7dd91b0f7bad

SHA1
7c08f3d648a1a9cd3ca392f56e424555ab096b97

SHA256
e36c634ef929dad620c6b62dfb06d47846b94bb4cb1e90ccdc38ba0e9a7a89fb

SHA512
8928b08d20a112a8c86833cac8d06fc38b8dedce9baa9b2080b8e401b8437bfdb7e79aa75960f1286ecc742fa135da28d9995033db54d6da89a0fd539aa57c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
118KB

MD5
c5b14d9af1807566c10d7dd91b0f7bad

SHA1
7c08f3d648a1a9cd3ca392f56e424555ab096b97

SHA256
e36c634ef929dad620c6b62dfb06d47846b94bb4cb1e90ccdc38ba0e9a7a89fb

SHA512
8928b08d20a112a8c86833cac8d06fc38b8dedce9baa9b2080b8e401b8437bfdb7e79aa75960f1286ecc742fa135da28d9995033db54d6da89a0fd539aa57c49

Download Submit
C:\WINDOWS\Temp\hx107.tmp

Filesize
20.2MB

MD5
e16af081ac517c1d628ec740829605a9

SHA1
afe7894cec52d47e327683badec1b60f0d6ee273

SHA256
a9f58a9251c7a946c0c9ee87a609a30c7f8985360915109a77d2a682cfa7483e

SHA512
7906fda06a4a49a508951467b41d947e791d46a9e4093eb23548225f6500c7073d42721c402948f4996329cf5af7a65b82744234aa82f0dd04b8ecc12c9751db

Download Submit
C:\Windows\Temp\hx107.tmp

Filesize
20.2MB

MD5
e16af081ac517c1d628ec740829605a9

SHA1
afe7894cec52d47e327683badec1b60f0d6ee273

SHA256
a9f58a9251c7a946c0c9ee87a609a30c7f8985360915109a77d2a682cfa7483e

SHA512
7906fda06a4a49a508951467b41d947e791d46a9e4093eb23548225f6500c7073d42721c402948f4996329cf5af7a65b82744234aa82f0dd04b8ecc12c9751db

Download Submit
memory/1152-1285-0x0000000000916000-0x0000000000949000-memory.dmp

Filesize
204KB

Download
memory/1152-786-0x00000000008E7000-0x000000000095F000-memory.dmp

Filesize
480KB

Download
memory/1152-1295-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1152-144-0x00000000777C0000-0x0000000077963000-memory.dmp

Filesize
1.6MB

Download
memory/1152-146-0x0000000077570000-0x0000000077785000-memory.dmp

Filesize
2.1MB

Download
memory/1152-150-0x0000000075F50000-0x00000000760F0000-memory.dmp

Filesize
1.6MB

Download
memory/1152-152-0x0000000076B20000-0x0000000076B9A000-memory.dmp

Filesize
488KB

Download
memory/1152-1294-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1152-1293-0x0000000000916000-0x0000000000949000-memory.dmp

Filesize
204KB

Download
memory/1152-305-0x0000000002374000-0x0000000002518000-memory.dmp

Filesize
1.6MB

Download
memory/1152-303-0x0000000002270000-0x0000000002361000-memory.dmp

Filesize
964KB

Download
memory/1152-145-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1152-787-0x0000000002757000-0x000000000296D000-memory.dmp

Filesize
2.1MB

Download
memory/1152-140-0x0000000000000000-mapping.dmp

Download
memory/1152-1281-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1152-1282-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1152-1283-0x0000000002974000-0x0000000002B15000-memory.dmp

Filesize
1.6MB

Download
memory/1152-1284-0x0000000002520000-0x0000000002620000-memory.dmp

Filesize
1024KB

Download
memory/1152-1292-0x0000000002270000-0x0000000002361000-memory.dmp

Filesize
964KB

Download
memory/1152-1286-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1312-1287-0x0000000000000000-mapping.dmp

Download
memory/1316-136-0x00000000006D0000-0x00000000006E4000-memory.dmp

Filesize
80KB

Download
memory/1316-133-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1316-139-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1340-301-0x0000000000580000-0x0000000000583000-memory.dmp

Filesize
12KB

Download
memory/1340-299-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1340-143-0x0000000000000000-mapping.dmp

Download
memory/1340-1296-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2320-138-0x0000000000000000-mapping.dmp

Download
memory/2404-137-0x0000000000000000-mapping.dmp

Download