Analysis
-
max time kernel
166s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 01:05
Static task
static1
Behavioral task
behavioral1
Sample
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe
Resource
win10v2004-20221111-en
General
-
Target
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe
-
Size
26KB
-
MD5
35f1c094070892376e1b06c7663f88cf
-
SHA1
246b6ba9c283cf5376acd8327c381dd44d9020bd
-
SHA256
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800
-
SHA512
4e14c6018663cddfdcbb737f62178438469be6f302cc6aa180038aab50ca68b06866ae787d979d557e37397db152645df6a345bf6427a36285141b8e7205c130
-
SSDEEP
384:tD5bUAt3Huy/lTCF6mGSi4llrdnXpo+deYZwlx9O9SwOtV2+25jPV:t1bz3HuhHl7nXObV9O9Wto5jPV
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
audiohd.exeWUDHost.exepid process 2016 audiohd.exe 704 WUDHost.exe -
Loads dropped DLL 2 IoCs
Processes:
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exepid process 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exeaudiohd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Audio Driver = "\"C:\\Windows\\system32\\audiohd.exe\"" 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Audio Driver = "\"C:\\Windows\\system32\\audiohd.exe\"" audiohd.exe -
Drops file in System32 directory 2 IoCs
Processes:
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exedescription ioc process File opened for modification C:\Windows\SysWOW64\audiohd.exe 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe File created C:\Windows\SysWOW64\audiohd.exe 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe -
Drops file in Program Files directory 2 IoCs
Processes:
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exedescription ioc process File created C:\Program Files (x86)\Common Files\WUDHost.exe 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe File opened for modification C:\Program Files (x86)\Common Files\WUDHost.exe 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exeaudiohd.exeWUDHost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 audiohd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier audiohd.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 WUDHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WUDHost.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exeaudiohd.exeWUDHost.exepid process 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe 2016 audiohd.exe 2016 audiohd.exe 2016 audiohd.exe 2016 audiohd.exe 2016 audiohd.exe 2016 audiohd.exe 2016 audiohd.exe 2016 audiohd.exe 704 WUDHost.exe 704 WUDHost.exe 704 WUDHost.exe 704 WUDHost.exe 704 WUDHost.exe 704 WUDHost.exe 704 WUDHost.exe 704 WUDHost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exeaudiohd.exeWUDHost.exedescription pid process Token: SeDebugPrivilege 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe Token: SeDebugPrivilege 2016 audiohd.exe Token: SeDebugPrivilege 704 WUDHost.exe Token: 33 2016 audiohd.exe Token: SeIncBasePriorityPrivilege 2016 audiohd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exedescription pid process target process PID 1704 wrote to memory of 2016 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe audiohd.exe PID 1704 wrote to memory of 2016 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe audiohd.exe PID 1704 wrote to memory of 2016 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe audiohd.exe PID 1704 wrote to memory of 2016 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe audiohd.exe PID 1704 wrote to memory of 704 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe WUDHost.exe PID 1704 wrote to memory of 704 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe WUDHost.exe PID 1704 wrote to memory of 704 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe WUDHost.exe PID 1704 wrote to memory of 704 1704 822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe WUDHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe"C:\Users\Admin\AppData\Local\Temp\822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\audiohd.exe"C:\Windows\system32\audiohd.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\WUDHost.exe"C:\Program Files (x86)\Common Files\WUDHost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\WUDHost.exeFilesize
26KB
MD535f1c094070892376e1b06c7663f88cf
SHA1246b6ba9c283cf5376acd8327c381dd44d9020bd
SHA256822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800
SHA5124e14c6018663cddfdcbb737f62178438469be6f302cc6aa180038aab50ca68b06866ae787d979d557e37397db152645df6a345bf6427a36285141b8e7205c130
-
C:\Program Files (x86)\Common Files\WUDHost.exeFilesize
26KB
MD535f1c094070892376e1b06c7663f88cf
SHA1246b6ba9c283cf5376acd8327c381dd44d9020bd
SHA256822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800
SHA5124e14c6018663cddfdcbb737f62178438469be6f302cc6aa180038aab50ca68b06866ae787d979d557e37397db152645df6a345bf6427a36285141b8e7205c130
-
C:\Windows\SysWOW64\audiohd.exeFilesize
26KB
MD535f1c094070892376e1b06c7663f88cf
SHA1246b6ba9c283cf5376acd8327c381dd44d9020bd
SHA256822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800
SHA5124e14c6018663cddfdcbb737f62178438469be6f302cc6aa180038aab50ca68b06866ae787d979d557e37397db152645df6a345bf6427a36285141b8e7205c130
-
C:\Windows\SysWOW64\audiohd.exeFilesize
26KB
MD535f1c094070892376e1b06c7663f88cf
SHA1246b6ba9c283cf5376acd8327c381dd44d9020bd
SHA256822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800
SHA5124e14c6018663cddfdcbb737f62178438469be6f302cc6aa180038aab50ca68b06866ae787d979d557e37397db152645df6a345bf6427a36285141b8e7205c130
-
\Program Files (x86)\Common Files\WUDHost.exeFilesize
26KB
MD535f1c094070892376e1b06c7663f88cf
SHA1246b6ba9c283cf5376acd8327c381dd44d9020bd
SHA256822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800
SHA5124e14c6018663cddfdcbb737f62178438469be6f302cc6aa180038aab50ca68b06866ae787d979d557e37397db152645df6a345bf6427a36285141b8e7205c130
-
\Windows\SysWOW64\audiohd.exeFilesize
26KB
MD535f1c094070892376e1b06c7663f88cf
SHA1246b6ba9c283cf5376acd8327c381dd44d9020bd
SHA256822aff4a17a83193bb8954469030f8094986b1166ccbd551f07a77c720bfd800
SHA5124e14c6018663cddfdcbb737f62178438469be6f302cc6aa180038aab50ca68b06866ae787d979d557e37397db152645df6a345bf6427a36285141b8e7205c130
-
memory/704-68-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/704-64-0x0000000000000000-mapping.dmp
-
memory/704-70-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/1704-63-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/1704-55-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/1704-54-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1704-69-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/2016-62-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/2016-57-0x0000000000000000-mapping.dmp
-
memory/2016-71-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB