3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b

General

Target

3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
Size

316KB
MD5

461da96893de41f57cbf054baec185ac
SHA1

bfb4ccc749153cdf3561cc90deb56e0de5917d98
SHA256

3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b
SHA512

0f263a8469d39756f3d8d7c137f31c468f95bb1e20ba58987a953908af3d89fdf239934e3cba294609830ffefec6b6da1c39b32dc7e76495385633276d2a6fce
SSDEEP

6144:DeeNvVM6B9GyRYSP+fF0f2t6b+vClRHUcivtJOkRGP07ByaB22U9F/Ps:DeeNvVM6B0yaSWfFZt6KqlKRvtJOkRG8

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 17 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

efo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\efo.exe\" -a \"%1\" %*"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\ = "Application"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon\ = "%1"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	efo.exe

Disables taskbar notifications via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

efo.exe

pid process

1324 efo.exe

pid	process
1324	efo.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

efo.exe

pid process

1324 efo.exe

pid	process
1324	efo.exe

Loads dropped DLL 2 IoCs

Processes:

3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe

pid	process
1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

efo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe"	efo.exe

Modifies registry class 41 IoCs

Processes:

efo.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\DefaultIcon\ = "%1"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas\command	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\DefaultIcon	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\ = "Application"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\Content Type = "application/x-msdownload"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\efo.exe\" -a \"%1\" %*"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	efo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open\command	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon\ = "%1"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\ = "exefile"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start\command	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\efo.exe\" -a \"%1\" %*"	efo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command	efo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas	efo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start	efo.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exeefo.exe

pid	process
1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
1324	efo.exe
1324	efo.exe
1324	efo.exe
1324	efo.exe
1324	efo.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

592 explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe
Token: 33	892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	892	AUDIODG.EXE
Token: 33	892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	892	AUDIODG.EXE
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe
Token: SeShutdownPrivilege	592	explorer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

explorer.exeefo.exe

pid	process
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
1324	efo.exe
592	explorer.exe
592	explorer.exe
1324	efo.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

explorer.exeefo.exe

pid	process
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
592	explorer.exe
1324	efo.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe

description	pid	process	target process
PID 1704 wrote to memory of 1324	1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe	efo.exe
PID 1704 wrote to memory of 1324	1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe	efo.exe
PID 1704 wrote to memory of 1324	1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe	efo.exe
PID 1704 wrote to memory of 1324	1704	3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe	efo.exe

C:\Users\Admin\AppData\Local\Temp\3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
"C:\Users\Admin\AppData\Local\Temp\3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\efo.exe
"C:\Users\Admin\AppData\Local\efo.exe" -gav C:\Users\Admin\AppData\Local\Temp\3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b.exe
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1324

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:592

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x594
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\efo.exe

Filesize
316KB

MD5
461da96893de41f57cbf054baec185ac

SHA1
bfb4ccc749153cdf3561cc90deb56e0de5917d98

SHA256
3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b

SHA512
0f263a8469d39756f3d8d7c137f31c468f95bb1e20ba58987a953908af3d89fdf239934e3cba294609830ffefec6b6da1c39b32dc7e76495385633276d2a6fce

Download Submit
C:\Users\Admin\AppData\Local\efo.exe

Filesize
316KB

MD5
461da96893de41f57cbf054baec185ac

SHA1
bfb4ccc749153cdf3561cc90deb56e0de5917d98

SHA256
3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b

SHA512
0f263a8469d39756f3d8d7c137f31c468f95bb1e20ba58987a953908af3d89fdf239934e3cba294609830ffefec6b6da1c39b32dc7e76495385633276d2a6fce

Download Submit
\Users\Admin\AppData\Local\efo.exe

Filesize
316KB

MD5
461da96893de41f57cbf054baec185ac

SHA1
bfb4ccc749153cdf3561cc90deb56e0de5917d98

SHA256
3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b

SHA512
0f263a8469d39756f3d8d7c137f31c468f95bb1e20ba58987a953908af3d89fdf239934e3cba294609830ffefec6b6da1c39b32dc7e76495385633276d2a6fce

Download Submit
\Users\Admin\AppData\Local\efo.exe

Filesize
316KB

MD5
461da96893de41f57cbf054baec185ac

SHA1
bfb4ccc749153cdf3561cc90deb56e0de5917d98

SHA256
3ac1dccdd270dd81d0b4a8a84f62db1a7019c2b133f1d1a19aeee55a576f8f8b

SHA512
0f263a8469d39756f3d8d7c137f31c468f95bb1e20ba58987a953908af3d89fdf239934e3cba294609830ffefec6b6da1c39b32dc7e76495385633276d2a6fce

Download Submit
memory/592-68-0x000007FEFB371000-0x000007FEFB373000-memory.dmp

Filesize
8KB

Download
memory/1324-66-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1324-61-0x0000000000000000-mapping.dmp

Download
memory/1324-67-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1324-69-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1324-70-0x0000000074381000-0x0000000074383000-memory.dmp

Filesize
8KB

Download
memory/1704-58-0x0000000001F30000-0x00000000021E7000-memory.dmp

Filesize
2.7MB

Download
memory/1704-56-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1704-63-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1704-57-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1704-54-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1704-55-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads