e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8

General

Target

e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe
Size

134KB
MD5

bec37dc6fb25b7b4f6425e9b3fcd1913
SHA1

a71b41b5e48d31f11760065184f201eb43c8f126
SHA256

e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8
SHA512

4217aeb7d9ac6666867fc5c62db0ae3a7f5edd4beb504135f3e6c0c3ea4654415434e2581efd9255d466cde7aa27698b2d2d5560576b84052a5ed97a99b74966
SSDEEP

3072:t76QdbUdLdpKtnJapppppu12ygjOcO8LZZ:t76IaLCapppppK2VScp

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

audiodg.exeaudiodg.exeaudiodg.exe

pid process

1736 audiodg.exe
636 audiodg.exe
1944 audiodg.exe

pid	process
1736	audiodg.exe
636	audiodg.exe
1944	audiodg.exe

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audiodg.exeaudiodg.exeaudiodg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EB3725-F97E-4C37-9CE8-0A928A20320C}	audiodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EB3725-F97E-4C37-9CE8-0A928A20320C}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Products\\audiodg.exe\" -w"	audiodg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EB3725-F97E-4C37-9CE8-0A928A20320C}	audiodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EB3725-F97E-4C37-9CE8-0A928A20320C}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Products\\audiodg.exe\" -w"	audiodg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EB3725-F97E-4C37-9CE8-0A928A20320C}	audiodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EB3725-F97E-4C37-9CE8-0A928A20320C}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Products\\audiodg.exe\" -w"	audiodg.exe

Deletes itself 1 IoCs

Processes:

audiodg.exe

pid process

1736 audiodg.exe
Loads dropped DLL 3 IoCs

Processes:

e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exeaudiodg.exeaudiodg.exe

pid process

956 e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe
1736 audiodg.exe
636 audiodg.exe

pid	process
1736	audiodg.exe

pid	process
956	e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe
1736	audiodg.exe
636	audiodg.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audiodg.exeaudiodg.exeaudiodg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	audiodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Products = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Products\\audiodg.exe\" -w"	audiodg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	audiodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Products = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Products\\audiodg.exe\" -w"	audiodg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	audiodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Products = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Products\\audiodg.exe\" -w"	audiodg.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

audiodg.exe

pid	process
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe
1944	audiodg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

audiodg.exe

description pid process

Token: SeDebugPrivilege 1944 audiodg.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exeaudiodg.exeaudiodg.exeaudiodg.exe

pid process

956 e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe
1736 audiodg.exe
636 audiodg.exe
1944 audiodg.exe

description	pid	process
Token: SeDebugPrivilege	1944	audiodg.exe

pid	process
956	e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe
1736	audiodg.exe
636	audiodg.exe
1944	audiodg.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exeaudiodg.exeaudiodg.exe

description	pid	process	target process
PID 956 wrote to memory of 316	956	e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe	cmd.exe
PID 956 wrote to memory of 316	956	e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe	cmd.exe
PID 956 wrote to memory of 316	956	e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe	cmd.exe
PID 956 wrote to memory of 316	956	e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe	cmd.exe
PID 956 wrote to memory of 1736	956	e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe	audiodg.exe
PID 956 wrote to memory of 1736	956	e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe	audiodg.exe
PID 956 wrote to memory of 1736	956	e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe	audiodg.exe
PID 956 wrote to memory of 1736	956	e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe	audiodg.exe
PID 1736 wrote to memory of 636	1736	audiodg.exe	audiodg.exe
PID 1736 wrote to memory of 636	1736	audiodg.exe	audiodg.exe
PID 1736 wrote to memory of 636	1736	audiodg.exe	audiodg.exe
PID 1736 wrote to memory of 636	1736	audiodg.exe	audiodg.exe
PID 636 wrote to memory of 1944	636	audiodg.exe	audiodg.exe
PID 636 wrote to memory of 1944	636	audiodg.exe	audiodg.exe
PID 636 wrote to memory of 1944	636	audiodg.exe	audiodg.exe
PID 636 wrote to memory of 1944	636	audiodg.exe	audiodg.exe

C:\Users\Admin\AppData\Local\Temp\e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe
"C:\Users\Admin\AppData\Local\Temp\e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\cmd.exe
  cmd /D /R type "C:\Users\Admin\AppData\Local\Temp\e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe" > "C:\Users\Admin\AppData\Roaming\Google Products\audiodg.exe"
  2⤵
  PID:316
- C:\Users\Admin\AppData\Roaming\Google Products\audiodg.exe
  "C:\Users\Admin\AppData\Roaming\Google Products\audiodg.exe" -m "C:\Users\Admin\AppData\Local\Temp\e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Deletes itself
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Roaming\Google Products\audiodg.exe
    "C:\Users\Admin\AppData\Roaming\Google Products\audiodg.exe" -w
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Users\Admin\AppData\Roaming\Google Products\audiodg.exe
      "C:\Users\Admin\AppData\Roaming\Google Products\audiodg.exe
      4⤵
      Executes dropped EXE
      Modifies Installed Components in the registry
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Google Products\audiodg.exe

Filesize
134KB

MD5
bec37dc6fb25b7b4f6425e9b3fcd1913

SHA1
a71b41b5e48d31f11760065184f201eb43c8f126

SHA256
e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8

SHA512
4217aeb7d9ac6666867fc5c62db0ae3a7f5edd4beb504135f3e6c0c3ea4654415434e2581efd9255d466cde7aa27698b2d2d5560576b84052a5ed97a99b74966

Download Submit
C:\Users\Admin\AppData\Roaming\Google Products\audiodg.exe

Filesize
134KB

MD5
bec37dc6fb25b7b4f6425e9b3fcd1913

SHA1
a71b41b5e48d31f11760065184f201eb43c8f126

SHA256
e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8

SHA512
4217aeb7d9ac6666867fc5c62db0ae3a7f5edd4beb504135f3e6c0c3ea4654415434e2581efd9255d466cde7aa27698b2d2d5560576b84052a5ed97a99b74966

Download Submit
C:\Users\Admin\AppData\Roaming\Google Products\audiodg.exe

Filesize
134KB

MD5
bec37dc6fb25b7b4f6425e9b3fcd1913

SHA1
a71b41b5e48d31f11760065184f201eb43c8f126

SHA256
e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8

SHA512
4217aeb7d9ac6666867fc5c62db0ae3a7f5edd4beb504135f3e6c0c3ea4654415434e2581efd9255d466cde7aa27698b2d2d5560576b84052a5ed97a99b74966

Download Submit
C:\Users\Admin\AppData\Roaming\Google Products\audiodg.exe

Filesize
134KB

MD5
bec37dc6fb25b7b4f6425e9b3fcd1913

SHA1
a71b41b5e48d31f11760065184f201eb43c8f126

SHA256
e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8

SHA512
4217aeb7d9ac6666867fc5c62db0ae3a7f5edd4beb504135f3e6c0c3ea4654415434e2581efd9255d466cde7aa27698b2d2d5560576b84052a5ed97a99b74966

Download Submit
\Users\Admin\AppData\Roaming\Google Products\audiodg.exe

Filesize
134KB

MD5
bec37dc6fb25b7b4f6425e9b3fcd1913

SHA1
a71b41b5e48d31f11760065184f201eb43c8f126

SHA256
e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8

SHA512
4217aeb7d9ac6666867fc5c62db0ae3a7f5edd4beb504135f3e6c0c3ea4654415434e2581efd9255d466cde7aa27698b2d2d5560576b84052a5ed97a99b74966

Download Submit
\Users\Admin\AppData\Roaming\Google Products\audiodg.exe

Filesize
134KB

MD5
bec37dc6fb25b7b4f6425e9b3fcd1913

SHA1
a71b41b5e48d31f11760065184f201eb43c8f126

SHA256
e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8

SHA512
4217aeb7d9ac6666867fc5c62db0ae3a7f5edd4beb504135f3e6c0c3ea4654415434e2581efd9255d466cde7aa27698b2d2d5560576b84052a5ed97a99b74966

Download Submit
\Users\Admin\AppData\Roaming\Google Products\audiodg.exe

Filesize
134KB

MD5
bec37dc6fb25b7b4f6425e9b3fcd1913

SHA1
a71b41b5e48d31f11760065184f201eb43c8f126

SHA256
e58516e526b26eddcac84fa810b386d33ed2dc379af1ab2a011ce4fb3033d7d8

SHA512
4217aeb7d9ac6666867fc5c62db0ae3a7f5edd4beb504135f3e6c0c3ea4654415434e2581efd9255d466cde7aa27698b2d2d5560576b84052a5ed97a99b74966

Download Submit
memory/316-56-0x0000000000000000-mapping.dmp

Download
memory/636-63-0x0000000000000000-mapping.dmp

Download
memory/636-71-0x0000000002130000-0x00000000021C5000-memory.dmp

Filesize
596KB

Download
memory/956-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/956-55-0x0000000002010000-0x00000000020A5000-memory.dmp

Filesize
596KB

Download
memory/1736-59-0x0000000000000000-mapping.dmp

Download
memory/1736-65-0x0000000001E70000-0x0000000001F05000-memory.dmp

Filesize
596KB

Download
memory/1944-68-0x0000000000000000-mapping.dmp

Download
memory/1944-72-0x00000000021A0000-0x0000000002235000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads