9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8

General

Target

9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe
Size

252KB
MD5

39f80f18b02ee0cf9bba3a0d01900cd1
SHA1

4f74bd8dc6a7b93acca7e8ecb773c571a0e61f6b
SHA256

9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8
SHA512

925123513e9c7dc723d4242f7ce8fade4db2944483467c334ba76123808d301481f2bfa2219bbbd1ca8a677908843e716352f33543675bb8d6472e5b1e9b3501
SSDEEP

6144:6P6nejFShV25IXS7XAj+Lv998rirykvW9s8kedZCzNogr8Q+W:44O8hOXAo98rT2W1kedZ2p8Qr

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree\\plugin.dat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
behavioral1/memory/1324-65-0x000007FEFC120000-0x000007FEFC18D000-memory.dmp	upx
behavioral1/memory/1324-66-0x000007FEFC120000-0x000007FEFC18D000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exe

pid process

576 regsvr32.exe
1452 regsvr32.exe
1324 explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
576	regsvr32.exe
1452	regsvr32.exe
1324	explorer.exe

Modifies registry class 15 IoCs

Processes:

regsvr32.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\Programmable	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\Version	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\Version\ = "2.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree\\plugin.dat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\ = "DDIC224 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-C224309CAB7A}\InprocServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exeexplorer.exe

pid	process
1656	9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe
1656	9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe
1656	9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe
1656	9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe
1324	explorer.exe
1324	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1324 explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: 33	996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	996	AUDIODG.EXE
Token: 33	996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	996	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

explorer.exe

pid	process
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

explorer.exe

pid	process
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exeregsvr32.exe

description	pid	process	target process
PID 1656 wrote to memory of 576	1656	9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe	regsvr32.exe
PID 1656 wrote to memory of 576	1656	9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe	regsvr32.exe
PID 1656 wrote to memory of 576	1656	9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe	regsvr32.exe
PID 1656 wrote to memory of 576	1656	9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe	regsvr32.exe
PID 1656 wrote to memory of 576	1656	9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe	regsvr32.exe
PID 1656 wrote to memory of 576	1656	9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe	regsvr32.exe
PID 1656 wrote to memory of 576	1656	9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe	regsvr32.exe
PID 576 wrote to memory of 1452	576	regsvr32.exe	regsvr32.exe
PID 576 wrote to memory of 1452	576	regsvr32.exe	regsvr32.exe
PID 576 wrote to memory of 1452	576	regsvr32.exe	regsvr32.exe
PID 576 wrote to memory of 1452	576	regsvr32.exe	regsvr32.exe
PID 576 wrote to memory of 1452	576	regsvr32.exe	regsvr32.exe
PID 576 wrote to memory of 1452	576	regsvr32.exe	regsvr32.exe
PID 576 wrote to memory of 1452	576	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe
"C:\Users\Admin\AppData\Local\Temp\9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1452

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat

Filesize
93KB

MD5
ebe4ac8e34be962ba72bf123d2c06dca

SHA1
4cdf6301c32f9451fca2b6b85e853902f05360fc

SHA256
e81ac0ac6c1bfb120ae9a5670ebe8511a2fdf7e40726faba3703ba74009834a6

SHA512
d4ca56a1baefc1a5444da84f536572cac4e4eea6bd2d3ce94db4e62e7f30d9db73bc25d7e8c3ee77073406d201cae301d5b67b762082dc6ae0cf6c91c1284285

Download Submit
C:\Users\Admin\AppData\Roaming\SogouPinyin.local

Filesize
89B

MD5
e57500099e9708e303e9419489b31cfa

SHA1
f878b32225c70d924f2c76ada903154960859f46

SHA256
316805e9e9251febc65fb4923503c5551d449ad012bfb23cfb29c85118bd8ccf

SHA512
e2101cad72d3d83f951d362aed7b5d9b5f01877cca7fc15f76ca4c4c7e6632208091cfe7781d7f24caabbc9c171ad8c27dae506d6c158fc910b1813447f17bff

Download Submit
\Users\Admin\AppData\Roaming\Carefree\plugin.dat

Filesize
93KB

MD5
ebe4ac8e34be962ba72bf123d2c06dca

SHA1
4cdf6301c32f9451fca2b6b85e853902f05360fc

SHA256
e81ac0ac6c1bfb120ae9a5670ebe8511a2fdf7e40726faba3703ba74009834a6

SHA512
d4ca56a1baefc1a5444da84f536572cac4e4eea6bd2d3ce94db4e62e7f30d9db73bc25d7e8c3ee77073406d201cae301d5b67b762082dc6ae0cf6c91c1284285

Download Submit
\Users\Admin\AppData\Roaming\Carefree\plugin.dat

Filesize
93KB

MD5
ebe4ac8e34be962ba72bf123d2c06dca

SHA1
4cdf6301c32f9451fca2b6b85e853902f05360fc

SHA256
e81ac0ac6c1bfb120ae9a5670ebe8511a2fdf7e40726faba3703ba74009834a6

SHA512
d4ca56a1baefc1a5444da84f536572cac4e4eea6bd2d3ce94db4e62e7f30d9db73bc25d7e8c3ee77073406d201cae301d5b67b762082dc6ae0cf6c91c1284285

Download Submit
\Users\Admin\AppData\Roaming\Carefree\plugin.dat

Filesize
93KB

MD5
ebe4ac8e34be962ba72bf123d2c06dca

SHA1
4cdf6301c32f9451fca2b6b85e853902f05360fc

SHA256
e81ac0ac6c1bfb120ae9a5670ebe8511a2fdf7e40726faba3703ba74009834a6

SHA512
d4ca56a1baefc1a5444da84f536572cac4e4eea6bd2d3ce94db4e62e7f30d9db73bc25d7e8c3ee77073406d201cae301d5b67b762082dc6ae0cf6c91c1284285

Download Submit
memory/576-55-0x0000000000000000-mapping.dmp

Download
memory/1324-62-0x000007FEFC3F1000-0x000007FEFC3F3000-memory.dmp

Filesize
8KB

Download
memory/1324-65-0x000007FEFC120000-0x000007FEFC18D000-memory.dmp

Filesize
436KB

Download
memory/1324-66-0x000007FEFC120000-0x000007FEFC18D000-memory.dmp

Filesize
436KB

Download
memory/1452-59-0x0000000000000000-mapping.dmp

Download
memory/1452-60-0x000007FEFC421000-0x000007FEFC423000-memory.dmp

Filesize
8KB

Download
memory/1656-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads