ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb

General

Target

ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Size

435KB
MD5

302561f3ff7ffab43797b19e7334ba19
SHA1

bb975283b513aa4c7f4f1e1c2b29302531372992
SHA256

ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb
SHA512

3179af120089fa579a8c7a651099d4b849e8acfcd334819eaf5485648436162ddb0f8b075dd26ed9d4dcee76c0728687ea1c9f587f85d416f085c0986631b550
SSDEEP

6144:vdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70Nqq:l8kxNhOZElO5kkWjhD4A

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

LODXB.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LODXB.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\RRGITB.EXE \"%1\" %*"	LODXB.EXE

Executes dropped EXE 1 IoCs

Processes:

LODXB.EXE

pid process

1484 LODXB.EXE

pid	process
1484	LODXB.EXE

Loads dropped DLL 2 IoCs

Processes:

ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe

pid	process
892	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
892	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DBUGQUP.EXE = "C:\\Users\\DBUGQUP.EXE"	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exeLODXB.EXE

description	ioc	process
File opened (read-only)	\??\O:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\U:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\E:	LODXB.EXE
File opened (read-only)	\??\O:	LODXB.EXE
File opened (read-only)	\??\E:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\J:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\M:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\N:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\P:	LODXB.EXE
File opened (read-only)	\??\R:	LODXB.EXE
File opened (read-only)	\??\G:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\L:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\S:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\T:	LODXB.EXE
File opened (read-only)	\??\F:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\H:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\P:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\I:	LODXB.EXE
File opened (read-only)	\??\T:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\F:	LODXB.EXE
File opened (read-only)	\??\M:	LODXB.EXE
File opened (read-only)	\??\N:	LODXB.EXE
File opened (read-only)	\??\Q:	LODXB.EXE
File opened (read-only)	\??\S:	LODXB.EXE
File opened (read-only)	\??\K:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\Q:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\J:	LODXB.EXE
File opened (read-only)	\??\L:	LODXB.EXE
File opened (read-only)	\??\V:	LODXB.EXE
File opened (read-only)	\??\I:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\R:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\H:	LODXB.EXE
File opened (read-only)	\??\V:	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened (read-only)	\??\G:	LODXB.EXE
File opened (read-only)	\??\K:	LODXB.EXE
File opened (read-only)	\??\U:	LODXB.EXE

Drops file in Program Files directory 4 IoCs

Processes:

ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exeLODXB.EXE

description	ioc	process
File created	C:\Program Files\LODXB.EXE	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File opened for modification	C:\Program Files\LODXB.EXE	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File created	C:\Program Files\DZNN.EXE	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
File created	C:\Program Files (x86)\RRGITB.EXE	LODXB.EXE

Modifies registry class 17 IoCs

Processes:

ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exeLODXB.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Users\\DBUGQUP.EXE \"%1\""	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files\\DZNN.EXE %1"	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Users\\KLQXPQB.EXE %1"	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\DBUGQUP.EXE %1"	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Users\\DBUGQUP.EXE \"%1\" %*"	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\RRGITB.EXE \"%1\" %*"	LODXB.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LODXB.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LODXB.EXE

pid process

1484 LODXB.EXE

pid	process
1484	LODXB.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe

description	pid	process	target process
PID 892 wrote to memory of 1484	892	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe	LODXB.EXE
PID 892 wrote to memory of 1484	892	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe	LODXB.EXE
PID 892 wrote to memory of 1484	892	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe	LODXB.EXE
PID 892 wrote to memory of 1484	892	ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe	LODXB.EXE

C:\Users\Admin\AppData\Local\Temp\ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe
"C:\Users\Admin\AppData\Local\Temp\ac136ec1a3811cb4ce3224b95bbca3b0686704e42bd3e811b184a9c14a3acdfb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:892

C:\Program Files\LODXB.EXE
"C:\Program Files\LODXB.EXE"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1484

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\LODXB.EXE
Filesize
436KB

MD5
12ca1e7fb40e1d493a97c4120d6e314e

SHA1
dde575bff79496ee39d73c56a603f36fe78bafa4

SHA256
197fa0dcf8283f4d8d6a0c4c813504ada6091462b0900c203da62b75b7b20a8b

SHA512
1d382f39ea21407dcd15ce471db87ca7d00f8bd1aad2bacef2fa4b5dec8d26ac46173566dec2d353d052d4d6a760ad662420dedb647a09c95fe10ae9092929ee

Download Submit
C:\Program Files\LODXB.EXE
Filesize
436KB

MD5
12ca1e7fb40e1d493a97c4120d6e314e

SHA1
dde575bff79496ee39d73c56a603f36fe78bafa4

SHA256
197fa0dcf8283f4d8d6a0c4c813504ada6091462b0900c203da62b75b7b20a8b

SHA512
1d382f39ea21407dcd15ce471db87ca7d00f8bd1aad2bacef2fa4b5dec8d26ac46173566dec2d353d052d4d6a760ad662420dedb647a09c95fe10ae9092929ee

Download Submit
\??\c:\filedebug
Filesize
250B

MD5
9f100fe6909dddf7ae65315d9d69a554

SHA1
d433fb2551b8af4c96ab29b36c3055d8d924a1ef

SHA256
291fac3e945a2514c99c27656059ddc78f35922b1ee14391de376bd795783fc3

SHA512
d6e0bffc23a514581aa1cdb8fabd6c0ee6988bf52aa30c40e6c4c4904284f81e0f7ad0be8902aaa21bf8c0202fc7aca96512b5f755a57a15963286b39ea4ab1a

Download Submit
\Program Files\LODXB.EXE
Filesize
436KB

MD5
12ca1e7fb40e1d493a97c4120d6e314e

SHA1
dde575bff79496ee39d73c56a603f36fe78bafa4

SHA256
197fa0dcf8283f4d8d6a0c4c813504ada6091462b0900c203da62b75b7b20a8b

SHA512
1d382f39ea21407dcd15ce471db87ca7d00f8bd1aad2bacef2fa4b5dec8d26ac46173566dec2d353d052d4d6a760ad662420dedb647a09c95fe10ae9092929ee

Download Submit
\Program Files\LODXB.EXE
Filesize
436KB

MD5
12ca1e7fb40e1d493a97c4120d6e314e

SHA1
dde575bff79496ee39d73c56a603f36fe78bafa4

SHA256
197fa0dcf8283f4d8d6a0c4c813504ada6091462b0900c203da62b75b7b20a8b

SHA512
1d382f39ea21407dcd15ce471db87ca7d00f8bd1aad2bacef2fa4b5dec8d26ac46173566dec2d353d052d4d6a760ad662420dedb647a09c95fe10ae9092929ee

Download Submit
memory/1484-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads