abe1d2eca52bf75ae14e0016d2e96ba3e6947c294fcc52def005c3f70ddd0a35

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe1d2eca52bf75ae14e0016d2e96ba3e6947c294fcc52def005c3f70ddd0a35.exe
Size

3.5MB
MD5

1d1670ed4dadee41648efd4d46e158f9
SHA1

000b4b149a512491e61d6c852400658ed7e793de
SHA256

abe1d2eca52bf75ae14e0016d2e96ba3e6947c294fcc52def005c3f70ddd0a35
SHA512

57ec277007ceb8d8de187209aa2cd4b45e9419d31ebbdf71fa4c598494c57e3f6f7332e543b3cbe57d08773866085c4e672ab482bb37e80771daf67ad560aaae
SSDEEP

98304:nfIPhb+R90rbEVparzcBYrtsSp03EZmE3pW/Ppl6Y6K+M4T:n+hb+f0PRvvrVpJZTY/BwE4T

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

run.exeautorun.exe

pid process

2124 run.exe
3536 autorun.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

abe1d2eca52bf75ae14e0016d2e96ba3e6947c294fcc52def005c3f70ddd0a35.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	abe1d2eca52bf75ae14e0016d2e96ba3e6947c294fcc52def005c3f70ddd0a35.exe

Loads dropped DLL 8 IoCs

Processes:

run.exeautorun.exe

pid process

2124 run.exe
3536 autorun.exe
3536 autorun.exe
3536 autorun.exe
3536 autorun.exe
3536 autorun.exe
3536 autorun.exe
3536 autorun.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

autorun.exe

description	ioc	process
File opened (read-only)	\??\J:	autorun.exe
File opened (read-only)	\??\M:	autorun.exe
File opened (read-only)	\??\N:	autorun.exe
File opened (read-only)	\??\Y:	autorun.exe
File opened (read-only)	\??\H:	autorun.exe
File opened (read-only)	\??\K:	autorun.exe
File opened (read-only)	\??\L:	autorun.exe
File opened (read-only)	\??\Q:	autorun.exe
File opened (read-only)	\??\S:	autorun.exe
File opened (read-only)	\??\Z:	autorun.exe
File opened (read-only)	\??\X:	autorun.exe
File opened (read-only)	\??\F:	autorun.exe
File opened (read-only)	\??\G:	autorun.exe
File opened (read-only)	\??\P:	autorun.exe
File opened (read-only)	\??\U:	autorun.exe
File opened (read-only)	\??\V:	autorun.exe
File opened (read-only)	\??\W:	autorun.exe
File opened (read-only)	\??\T:	autorun.exe
File opened (read-only)	\??\A:	autorun.exe
File opened (read-only)	\??\B:	autorun.exe
File opened (read-only)	\??\E:	autorun.exe
File opened (read-only)	\??\I:	autorun.exe
File opened (read-only)	\??\O:	autorun.exe
File opened (read-only)	\??\R:	autorun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

autorun.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	3536	autorun.exe
Token: SeCreatePagefilePrivilege	3536	autorun.exe
Token: 33	4732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4732	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

run.exeautorun.exe

pid	process
2124	run.exe
3536	autorun.exe
3536	autorun.exe
3536	autorun.exe
3536	autorun.exe
3536	autorun.exe
3536	autorun.exe
3536	autorun.exe
3536	autorun.exe
3536	autorun.exe
3536	autorun.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

abe1d2eca52bf75ae14e0016d2e96ba3e6947c294fcc52def005c3f70ddd0a35.exerun.exe

description	pid	process	target process
PID 4884 wrote to memory of 2124	4884	abe1d2eca52bf75ae14e0016d2e96ba3e6947c294fcc52def005c3f70ddd0a35.exe	run.exe
PID 4884 wrote to memory of 2124	4884	abe1d2eca52bf75ae14e0016d2e96ba3e6947c294fcc52def005c3f70ddd0a35.exe	run.exe
PID 4884 wrote to memory of 2124	4884	abe1d2eca52bf75ae14e0016d2e96ba3e6947c294fcc52def005c3f70ddd0a35.exe	run.exe
PID 2124 wrote to memory of 3536	2124	run.exe	autorun.exe
PID 2124 wrote to memory of 3536	2124	run.exe	autorun.exe
PID 2124 wrote to memory of 3536	2124	run.exe	autorun.exe

C:\Users\Admin\AppData\Local\Temp\abe1d2eca52bf75ae14e0016d2e96ba3e6947c294fcc52def005c3f70ddd0a35.exe
"C:\Users\Admin\AppData\Local\Temp\abe1d2eca52bf75ae14e0016d2e96ba3e6947c294fcc52def005c3f70ddd0a35.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\RarSFX0\autorun.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\autorun.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HtmlView.fne
Filesize
212KB

MD5
5971fdd6e99498695ae742e4f51f0405

SHA1
de14276ca9a6c8e718e1c69bac40777538005346

SHA256
0a5d69da174b4012e32964f0b89cee0c2622c9accc251bb827a6cdf183cb17a6

SHA512
3ffdcdbb029ba9055d13eed3ef98085fd74e817330aec804294642add8399ce507ea581e24f8d0dedf8edbb38d7cf3755e2165c5578102c1bbf830e0fe4ad3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HtmlView.fne
Filesize
212KB

MD5
5971fdd6e99498695ae742e4f51f0405

SHA1
de14276ca9a6c8e718e1c69bac40777538005346

SHA256
0a5d69da174b4012e32964f0b89cee0c2622c9accc251bb827a6cdf183cb17a6

SHA512
3ffdcdbb029ba9055d13eed3ef98085fd74e817330aec804294642add8399ce507ea581e24f8d0dedf8edbb38d7cf3755e2165c5578102c1bbf830e0fe4ad3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HtmlView.fne
Filesize
212KB

MD5
5971fdd6e99498695ae742e4f51f0405

SHA1
de14276ca9a6c8e718e1c69bac40777538005346

SHA256
0a5d69da174b4012e32964f0b89cee0c2622c9accc251bb827a6cdf183cb17a6

SHA512
3ffdcdbb029ba9055d13eed3ef98085fd74e817330aec804294642add8399ce507ea581e24f8d0dedf8edbb38d7cf3755e2165c5578102c1bbf830e0fe4ad3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\autorun.dat
Filesize
562KB

MD5
e66cb8168b10d19ce5b07990cd667199

SHA1
90a7d61c3aa7f415506663496ad743675a04e89d

SHA256
31c06da18ddd86027a1e539a296e6d71458170ed65a6e78a8902a0337e97b948

SHA512
9e55118a9e6c0aed0690c6c4a383fd3daffe758fc96571827c2c6dca955ed4fec94c244e09440517c42e741fae07ec3c644104819a762a8dc3504db0aeab7d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\autorun.exe
Filesize
34KB

MD5
1d6ee6207d415f8c09fa803ab2ae9197

SHA1
425b9d49ff29f6fdbe4220f2815c9371f3f3c956

SHA256
ebccda1c40d9bf4b6c7048566b31c57e346ddde7973a9e2214092abbaf247ab8

SHA512
2f300efa747e52bb9fbf74581f40a8e9e9f351c8c0f88acb3602f9244410f41681c22b6bad8d9d237c0ae29c7ecec30ee4eb57b5110b97142b374c5bb8939b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\autorun.exe
Filesize
34KB

MD5
1d6ee6207d415f8c09fa803ab2ae9197

SHA1
425b9d49ff29f6fdbe4220f2815c9371f3f3c956

SHA256
ebccda1c40d9bf4b6c7048566b31c57e346ddde7973a9e2214092abbaf247ab8

SHA512
2f300efa747e52bb9fbf74581f40a8e9e9f351c8c0f88acb3602f9244410f41681c22b6bad8d9d237c0ae29c7ecec30ee4eb57b5110b97142b374c5bb8939b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bg.dat
Filesize
51B

MD5
04f392acd1cc409b21bbe1985f6080e5

SHA1
f5f4acbc5eea8b8817c0ac0f5acff9d794cab78a

SHA256
7281815fe2ac6cc914977db78791ff5c94be91cd5cb817bd3e7ef7593bac2126

SHA512
61f9edc479b8c11ae63efd21d0e6f452fb00fba22cc3b786fdce36a962f2d8ca03f510b8d382dcd69eb5d35fc60ac1b4d78992b97a3ed33028d9c37c8a1b6789

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iext2.fne
Filesize
252KB

MD5
ea247ace5ff3b3c2a3c2f81d2c2920f8

SHA1
915d2518f8cb5da4ee2e8ed79aadd8d663a8ab63

SHA256
19eef661d06063852b573ca4af213b631eddb87ca249c4e7451a6e4a96df3f1b

SHA512
780e8b471b35fcc32d04b5317813ec77fcca646561c91a3beba83e19f54241261296fbfa8a486647bb8b73eda5f1af7b262646c158d73dc090f8ebcaf4e7b3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iext2.fne
Filesize
252KB

MD5
ea247ace5ff3b3c2a3c2f81d2c2920f8

SHA1
915d2518f8cb5da4ee2e8ed79aadd8d663a8ab63

SHA256
19eef661d06063852b573ca4af213b631eddb87ca249c4e7451a6e4a96df3f1b

SHA512
780e8b471b35fcc32d04b5317813ec77fcca646561c91a3beba83e19f54241261296fbfa8a486647bb8b73eda5f1af7b262646c158d73dc090f8ebcaf4e7b3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iext2.fne
Filesize
252KB

MD5
ea247ace5ff3b3c2a3c2f81d2c2920f8

SHA1
915d2518f8cb5da4ee2e8ed79aadd8d663a8ab63

SHA256
19eef661d06063852b573ca4af213b631eddb87ca249c4e7451a6e4a96df3f1b

SHA512
780e8b471b35fcc32d04b5317813ec77fcca646561c91a3beba83e19f54241261296fbfa8a486647bb8b73eda5f1af7b262646c158d73dc090f8ebcaf4e7b3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.dat
Filesize
702KB

MD5
07f015a10a526d63b69916a20470c951

SHA1
c1096d4e3f5583ee83d968a9d5948b67eee7f33c

SHA256
2052b77ef4c52ad637284b895efca57b63e4be989269686576b287b3a23237dd

SHA512
b7a178dcedc23771ab143fd58ab0c4cbe13378883a0d173b4200b623f8b496e5f701fe2eac715975f3426411b612bf045cab46dcefc038f3f575762479b9734d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\krnln.fnr
Filesize
1.0MB

MD5
862a4d3321bb17293d97da7b1a72542c

SHA1
1910f8886a94e0cfd553119273bda49807e86f59

SHA256
c801bb3af24bd46b40f2bd4c9ddc8508e0edadb3f663f89898059bdb34d70171

SHA512
c439b429eba21f00f0bc765febf3407fbfa3116ace9b92abe49a24c5cd4e734fb561b2deb67db78bc0423ef11c14314a03d1c9780bbf67fcaac06ffa4fe2a5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\krnln.fnr
Filesize
1.0MB

MD5
862a4d3321bb17293d97da7b1a72542c

SHA1
1910f8886a94e0cfd553119273bda49807e86f59

SHA256
c801bb3af24bd46b40f2bd4c9ddc8508e0edadb3f663f89898059bdb34d70171

SHA512
c439b429eba21f00f0bc765febf3407fbfa3116ace9b92abe49a24c5cd4e734fb561b2deb67db78bc0423ef11c14314a03d1c9780bbf67fcaac06ffa4fe2a5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\krnln.fnr
Filesize
1.0MB

MD5
862a4d3321bb17293d97da7b1a72542c

SHA1
1910f8886a94e0cfd553119273bda49807e86f59

SHA256
c801bb3af24bd46b40f2bd4c9ddc8508e0edadb3f663f89898059bdb34d70171

SHA512
c439b429eba21f00f0bc765febf3407fbfa3116ace9b92abe49a24c5cd4e734fb561b2deb67db78bc0423ef11c14314a03d1c9780bbf67fcaac06ffa4fe2a5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\music.dat
Filesize
706KB

MD5
a77678ff4bf4f2c64aa396b3a9beea3f

SHA1
20685026af08c6bf8c9d39fa33665ba969bff613

SHA256
aa55cfcbcb1d4498b12200c8a13af908ee760fe773ee66d82d21cc93bc05002a

SHA512
cfa555103dcda93cc0c5c415c5c8c008eed946c04d8a72aab004d83757e31785ac57a7a833bd399a82a62995f24e3de8bd49456024c9252529bdef39b45b1e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ocx.run
Filesize
240KB

MD5
e3d15b0d60e5dba1f7663c0b0b88cb70

SHA1
8093f341fc3fcea5a1c9d5ab34c408d8492d8078

SHA256
86e3247ef21295cb622d773833b4aa19cceb13f0f1aedfde53bf517967d285a3

SHA512
d6bb75fbdb4875a74dedb76d9246d25fa2a900b016dff333fb001ddabfa09deaf37edb429ff0c7ef6f7d0c9d75d2f97b9072e785658739ce64d1e554b3a58cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ocx.run
Filesize
240KB

MD5
e3d15b0d60e5dba1f7663c0b0b88cb70

SHA1
8093f341fc3fcea5a1c9d5ab34c408d8492d8078

SHA256
86e3247ef21295cb622d773833b4aa19cceb13f0f1aedfde53bf517967d285a3

SHA512
d6bb75fbdb4875a74dedb76d9246d25fa2a900b016dff333fb001ddabfa09deaf37edb429ff0c7ef6f7d0c9d75d2f97b9072e785658739ce64d1e554b3a58cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ocx.run
Filesize
240KB

MD5
e3d15b0d60e5dba1f7663c0b0b88cb70

SHA1
8093f341fc3fcea5a1c9d5ab34c408d8492d8078

SHA256
86e3247ef21295cb622d773833b4aa19cceb13f0f1aedfde53bf517967d285a3

SHA512
d6bb75fbdb4875a74dedb76d9246d25fa2a900b016dff333fb001ddabfa09deaf37edb429ff0c7ef6f7d0c9d75d2f97b9072e785658739ce64d1e554b3a58cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.exe
Filesize
25KB

MD5
9e7c249d514ce35433b1e45c0e31669e

SHA1
72e4806a48418e7f86334316f1af62dd05895047

SHA256
178a640ee2fe444d9e7fd290afe12d26f3370da1691fca02cfa1475487dd9a1c

SHA512
f850af6d70f49579e5a2b654329a9e9b6d3f5b2f581fc599d9971f7e55885f13eb9533ae5d727c19b4b1dcc4804f5b379ae742fecc146bea230163ae667a0257

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.exe
Filesize
25KB

MD5
9e7c249d514ce35433b1e45c0e31669e

SHA1
72e4806a48418e7f86334316f1af62dd05895047

SHA256
178a640ee2fe444d9e7fd290afe12d26f3370da1691fca02cfa1475487dd9a1c

SHA512
f850af6d70f49579e5a2b654329a9e9b6d3f5b2f581fc599d9971f7e55885f13eb9533ae5d727c19b4b1dcc4804f5b379ae742fecc146bea230163ae667a0257

Download Submit
memory/2124-146-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2124-132-0x0000000000000000-mapping.dmp

Download
memory/3536-152-0x00000000068E0000-0x000000000692F000-memory.dmp

Filesize
316KB

Download
memory/3536-157-0x0000000008941000-0x0000000008960000-memory.dmp

Filesize
124KB

Download
memory/3536-147-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3536-158-0x0000000008940000-0x0000000008978000-memory.dmp

Filesize
224KB

Download
memory/3536-137-0x0000000000000000-mapping.dmp

Download
memory/3536-162-0x000000000CD60000-0x000000000CD70000-memory.dmp

Filesize
64KB

Download