adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630

General

Target

adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe
Size

255KB
MD5

473e9df936b3c1c90b293fe6904fe58b
SHA1

ce3ddad6ddd85d255606b223d86b92f46bf7e540
SHA256

adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630
SHA512

7826cdc4502f15fe76432c716782bd777b775a581852eb28396cafcc039e27c7c6ba4c8bda8ce546f5a1df3aeb2b0e4389b5547d18699dbc4c3911657ef89d1c
SSDEEP

6144:7UnITMpSph0lMqqgWoDhujqcQQbxJhVGvkVbOcH4CIM4:7CQMY07qgWo6VVGvkVLAF

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree\\plugin.dat"	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
behavioral1/memory/596-66-0x000007FEFBE00000-0x000007FEFBE6D000-memory.dmp	upx
behavioral1/memory/596-67-0x000007FEFBE00000-0x000007FEFBE6D000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exe

pid process

960 regsvr32.exe
1340 regsvr32.exe
596 explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
960	regsvr32.exe
1340	regsvr32.exe
596	explorer.exe

Modifies registry class 44 IoCs

Processes:

regsvr32.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ = "ICarefreeIdentifier"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\ = "DDI1475 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ = "ICarefreeIdentifier"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree\\plugin.dat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\Version\ = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\ = "CarefreePluginLib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree\\plugin.dat"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-147513EB215A}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exeexplorer.exe

pid	process
1632	adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe
1632	adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe
596	explorer.exe
596	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

596 explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	596	explorer.exe
Token: SeShutdownPrivilege	596	explorer.exe
Token: SeShutdownPrivilege	596	explorer.exe
Token: SeShutdownPrivilege	596	explorer.exe
Token: SeShutdownPrivilege	596	explorer.exe
Token: SeShutdownPrivilege	596	explorer.exe
Token: SeShutdownPrivilege	596	explorer.exe
Token: SeShutdownPrivilege	596	explorer.exe
Token: SeShutdownPrivilege	596	explorer.exe
Token: SeShutdownPrivilege	596	explorer.exe
Token: 33	1656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1656	AUDIODG.EXE
Token: 33	1656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1656	AUDIODG.EXE
Token: SeShutdownPrivilege	596	explorer.exe
Token: SeShutdownPrivilege	596	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

explorer.exe

pid	process
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe
596	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exeregsvr32.exe

description	pid	process	target process
PID 1632 wrote to memory of 960	1632	adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe	regsvr32.exe
PID 1632 wrote to memory of 960	1632	adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe	regsvr32.exe
PID 1632 wrote to memory of 960	1632	adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe	regsvr32.exe
PID 1632 wrote to memory of 960	1632	adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe	regsvr32.exe
PID 1632 wrote to memory of 960	1632	adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe	regsvr32.exe
PID 1632 wrote to memory of 960	1632	adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe	regsvr32.exe
PID 1632 wrote to memory of 960	1632	adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe	regsvr32.exe
PID 960 wrote to memory of 1340	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 1340	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 1340	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 1340	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 1340	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 1340	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 1340	960	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe
"C:\Users\Admin\AppData\Local\Temp\adf97fa5f3b97d5cfcebc1b563c8a90e4ade92d080004579073846dfa6a21630.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1340

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x590
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat

Filesize
95KB

MD5
0992d8a5a550d8f65b411b3f57f4c333

SHA1
4ee7acd5518c28fe84b45c275c78113f12384af8

SHA256
5a8880d07c98fc2312e3f6b74c4ab5c42ff9ee0da8a1722b07b0c8df817fcdc8

SHA512
1ca91d3c7ceca2e44e49642665ec40538b5391193414182537bffb35b5c9faef494775b4d454d7389117d1c49078d7c3862282fd6542de763091a04f59471851

Download Submit
C:\Users\Admin\AppData\Roaming\SogouPinyin.local

Filesize
89B

MD5
1d2c4255dbcfc0be8d1333a694ab3491

SHA1
3c544a6f361a1f96e2c656778449818f3a6d8176

SHA256
0600b5c30c2257b17e6e712df658b5a42b9d7319b7429552302942c8864e7f69

SHA512
8dda2ae021388c6eb4bec20ea0ede27fe2e8d390d6e46561bfaef84e4b9a47a1779e32b8f8dc31c3e541bc26febc1942790ef0c3e65d353d053c649c9558e679

Download Submit
\Users\Admin\AppData\Roaming\Carefree\plugin.dat

Filesize
95KB

MD5
0992d8a5a550d8f65b411b3f57f4c333

SHA1
4ee7acd5518c28fe84b45c275c78113f12384af8

SHA256
5a8880d07c98fc2312e3f6b74c4ab5c42ff9ee0da8a1722b07b0c8df817fcdc8

SHA512
1ca91d3c7ceca2e44e49642665ec40538b5391193414182537bffb35b5c9faef494775b4d454d7389117d1c49078d7c3862282fd6542de763091a04f59471851

Download Submit
\Users\Admin\AppData\Roaming\Carefree\plugin.dat

Filesize
95KB

MD5
0992d8a5a550d8f65b411b3f57f4c333

SHA1
4ee7acd5518c28fe84b45c275c78113f12384af8

SHA256
5a8880d07c98fc2312e3f6b74c4ab5c42ff9ee0da8a1722b07b0c8df817fcdc8

SHA512
1ca91d3c7ceca2e44e49642665ec40538b5391193414182537bffb35b5c9faef494775b4d454d7389117d1c49078d7c3862282fd6542de763091a04f59471851

Download Submit
\Users\Admin\AppData\Roaming\Carefree\plugin.dat

Filesize
95KB

MD5
0992d8a5a550d8f65b411b3f57f4c333

SHA1
4ee7acd5518c28fe84b45c275c78113f12384af8

SHA256
5a8880d07c98fc2312e3f6b74c4ab5c42ff9ee0da8a1722b07b0c8df817fcdc8

SHA512
1ca91d3c7ceca2e44e49642665ec40538b5391193414182537bffb35b5c9faef494775b4d454d7389117d1c49078d7c3862282fd6542de763091a04f59471851

Download Submit
memory/596-63-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/596-66-0x000007FEFBE00000-0x000007FEFBE6D000-memory.dmp

Filesize
436KB

Download
memory/596-67-0x000007FEFBE00000-0x000007FEFBE6D000-memory.dmp

Filesize
436KB

Download
memory/596-68-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/960-61-0x0000000000220000-0x000000000028D000-memory.dmp

Filesize
436KB

Download
memory/960-55-0x0000000000000000-mapping.dmp

Download
memory/1340-60-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/1340-59-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads