73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf

General

Target

73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe
Size

255KB
MD5

82a6a151fcb82c69cd78890ea7e7d547
SHA1

99d8243705172092dac4584c67b3b81753b7bde6
SHA256

73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf
SHA512

995b170bc39c763215257b8b41e10024a11dc7ff493b76eb1986e6a90a056eef5721c7c3a5a0ee0bc164de627219e4d2387086185ed4c95a4733ea77e8d52605
SSDEEP

6144:7UnITMpSph0lMqqgWoDhujqcQQbxJhVGvkVbOcH4CIMf:7CQMY07qgWo6VVGvkVLAK

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree\\plugin.dat"	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
behavioral1/memory/1896-65-0x000007FEFC310000-0x000007FEFC37D000-memory.dmp	upx
behavioral1/memory/1896-66-0x000007FEFC310000-0x000007FEFC37D000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exe

pid process

2036 regsvr32.exe
2004 regsvr32.exe
1896 explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2036	regsvr32.exe
2004	regsvr32.exe
1896	explorer.exe

Modifies registry class 44 IoCs

Processes:

regsvr32.exeexplorer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ = "ICarefreeIdentifier"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree\\plugin.dat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\ = "CarefreePluginLib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree\\plugin.dat"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\Version\ = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\Version	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ = "ICarefreeIdentifier"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\ = "DDICE6D Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-CE6D1D0963F2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exeexplorer.exe

pid	process
1236	73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe
1236	73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe
1896	explorer.exe
1896	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1896 explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1896	explorer.exe
Token: SeShutdownPrivilege	1896	explorer.exe
Token: SeShutdownPrivilege	1896	explorer.exe
Token: SeShutdownPrivilege	1896	explorer.exe
Token: SeShutdownPrivilege	1896	explorer.exe
Token: SeShutdownPrivilege	1896	explorer.exe
Token: SeShutdownPrivilege	1896	explorer.exe
Token: SeShutdownPrivilege	1896	explorer.exe
Token: SeShutdownPrivilege	1896	explorer.exe
Token: SeShutdownPrivilege	1896	explorer.exe
Token: 33	1948	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1948	AUDIODG.EXE
Token: 33	1948	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1948	AUDIODG.EXE
Token: SeShutdownPrivilege	1896	explorer.exe
Token: SeShutdownPrivilege	1896	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

explorer.exe

pid	process
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exeregsvr32.exe

description	pid	process	target process
PID 1236 wrote to memory of 2036	1236	73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe	regsvr32.exe
PID 1236 wrote to memory of 2036	1236	73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe	regsvr32.exe
PID 1236 wrote to memory of 2036	1236	73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe	regsvr32.exe
PID 1236 wrote to memory of 2036	1236	73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe	regsvr32.exe
PID 1236 wrote to memory of 2036	1236	73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe	regsvr32.exe
PID 1236 wrote to memory of 2036	1236	73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe	regsvr32.exe
PID 1236 wrote to memory of 2036	1236	73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe
"C:\Users\Admin\AppData\Local\Temp\73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:2004

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1896

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat
Filesize
95KB

MD5
c5ab6a89bbd88cf4e2ecaddcde4c7ae1

SHA1
e4f980ddfb41c48aed1a91b0ae0a7d28ef38a5be

SHA256
92c5fc9cb87d67023f26746f1e1e032f4a54c9af17349c5ae2cc8a8c0a99cfde

SHA512
00e1fad76495345332b5f0d8c0a501e8a4dbbeb8dd5e3635a1e9553c350d52109a46bbb8b2190fff28e9df10c2c19ad59987b7e8dd8e9c3cc3f8b58af980b00d

Download Submit
C:\Users\Admin\AppData\Roaming\SogouPinyin.local
Filesize
89B

MD5
82647f94f00552bc201584d835036bca

SHA1
e3b5719dc39a0d524cd9f63d22e1de0a4985f987

SHA256
4d010eb53c6d31934b2328def4b428cd71cd57f21f8099b5790b475557048ca4

SHA512
81e47408abd5154b287e8796ae25a5196a25d2cc645cb0a3dc31c5d99a9f59786c5829c138e71167f9e51e5db4a05be02ca6451d98343e5bee24341e74359cfa

Download Submit
\Users\Admin\AppData\Roaming\Carefree\plugin.dat
Filesize
95KB

MD5
c5ab6a89bbd88cf4e2ecaddcde4c7ae1

SHA1
e4f980ddfb41c48aed1a91b0ae0a7d28ef38a5be

SHA256
92c5fc9cb87d67023f26746f1e1e032f4a54c9af17349c5ae2cc8a8c0a99cfde

SHA512
00e1fad76495345332b5f0d8c0a501e8a4dbbeb8dd5e3635a1e9553c350d52109a46bbb8b2190fff28e9df10c2c19ad59987b7e8dd8e9c3cc3f8b58af980b00d

Download Submit
\Users\Admin\AppData\Roaming\Carefree\plugin.dat
Filesize
95KB

MD5
c5ab6a89bbd88cf4e2ecaddcde4c7ae1

SHA1
e4f980ddfb41c48aed1a91b0ae0a7d28ef38a5be

SHA256
92c5fc9cb87d67023f26746f1e1e032f4a54c9af17349c5ae2cc8a8c0a99cfde

SHA512
00e1fad76495345332b5f0d8c0a501e8a4dbbeb8dd5e3635a1e9553c350d52109a46bbb8b2190fff28e9df10c2c19ad59987b7e8dd8e9c3cc3f8b58af980b00d

Download Submit
\Users\Admin\AppData\Roaming\Carefree\plugin.dat
Filesize
95KB

MD5
c5ab6a89bbd88cf4e2ecaddcde4c7ae1

SHA1
e4f980ddfb41c48aed1a91b0ae0a7d28ef38a5be

SHA256
92c5fc9cb87d67023f26746f1e1e032f4a54c9af17349c5ae2cc8a8c0a99cfde

SHA512
00e1fad76495345332b5f0d8c0a501e8a4dbbeb8dd5e3635a1e9553c350d52109a46bbb8b2190fff28e9df10c2c19ad59987b7e8dd8e9c3cc3f8b58af980b00d

Download Submit
memory/1236-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1896-62-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/1896-65-0x000007FEFC310000-0x000007FEFC37D000-memory.dmp

Filesize
436KB

Download
memory/1896-66-0x000007FEFC310000-0x000007FEFC37D000-memory.dmp

Filesize
436KB

Download
memory/1896-67-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/2004-59-0x0000000000000000-mapping.dmp

Download
memory/2004-60-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/2036-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads