581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2

General

Target

581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Size

114KB
MD5

5bc26371371794917f3b6250bdbd30a3
SHA1

c9ae596b1991676da4d12b1dde8304ed5e24619a
SHA256

581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2
SHA512

5b400deaab82ec4248cd587c5dad8f675eae3f0b68189f2452b67e29358c2b43b9922f05aa3ca3ec8a6135a2f3f85c49c7d9fd632eeadb110c8fc8aaef4f8e11
SSDEEP

1536:XpNmtV24Ox/o5wuAmF2XjxShZCjz980T+ETOyXKz+Kc2:XpNmAHZawyIzIhkjzG0TPyyX2lc

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe

description ioc process

File opened (read-only) \??\D: 581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe

description	ioc	process
File opened (read-only)	\??\D:	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe

Modifies registry class 39 IoCs

Processes:

581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIDFile\protocol\StdFileEditing\server	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIDFile\protocol\StdFileEditing\server\ = "mplay32.exe /mid"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdExecute\server\ = "mplay32.exe"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\shell\open	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\server\ = "mplay32.exe"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\verb\1\ = "&Edit"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\protocol	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\protocol\StdFileEditing	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIDFile\protocol\StdFileEditing	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdExecute	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\PackageObjects	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\verb\0	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\verb	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\shell\open\command\ = "mplay32.exe /play /close %1"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\verb\0\ = "&Play"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmi\ = "MIDFile"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\insertable\	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mid\ = "MIDFile"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\protocol\StdFileEditing\server\ = "mplay32.exe /avi"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\handler32	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\verb\1	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\protocol\StdFileEditing\server	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\ = "Media Clip"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\insertable	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\handler	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\handler\ = "mciole16.dll"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\shell	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\PackageObjects\	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\server	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.avi\ = "AVIFile"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdExecute\server	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\shell\open\command	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer\protocol\StdFileEditing\handler32\ = "mciole32.dll"	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIDFile	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIDFile\protocol	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1656	AUDIODG.EXE
Token: 33	1656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1656	AUDIODG.EXE

Suspicious use of SetWindowsHookAW 1 IoCs

Processes:

581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe

pid process

1992 581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe

pid	process
1992	581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe

C:\Users\Admin\AppData\Local\Temp\581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe
"C:\Users\Admin\AppData\Local\Temp\581ff408660c2cb45ddee68b3c4031f696cd68575842cca9160c5b0114acc7b2.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SetWindowsHookAW
PID:1992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing