f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e

General

Target

f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe
Size

328KB
MD5

8d1c6effa663ddc8782cc4cb56f81fb6
SHA1

970cb2ddfcf29b8aad2069b5d8a04be32e94903e
SHA256

f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e
SHA512

7202e4b9043e466c059a29186727e5e919370d58e699a97c71c93161ae59fa3b25abe0422217e14a75e63b80e8835e7a91b08de3fd729ae7e39750f9f63c62d4
SSDEEP

6144:PZw5bV+pDR66lNJzoVjPOKUA8E+ymkv+qFNXzgoEy:qKw6JzWWhm5vz

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

xpx.exe

pid process

1680 xpx.exe

pid	process
1680	xpx.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

xpx.exe

pid process

1680 xpx.exe

pid	process
1680	xpx.exe

Loads dropped DLL 2 IoCs

Processes:

f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe

pid	process
1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe
1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe

pid	process
1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe
1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe
1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe
1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe
1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe
1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe
1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe
1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1224 explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: 33	1828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1828	AUDIODG.EXE
Token: 33	1828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1828	AUDIODG.EXE
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

explorer.exe

pid	process
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

explorer.exe

pid	process
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe

description	pid	process	target process
PID 1696 wrote to memory of 1680	1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe	xpx.exe
PID 1696 wrote to memory of 1680	1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe	xpx.exe
PID 1696 wrote to memory of 1680	1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe	xpx.exe
PID 1696 wrote to memory of 1680	1696	f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe	xpx.exe

C:\Users\Admin\AppData\Local\Temp\f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe
"C:\Users\Admin\AppData\Local\Temp\f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\xpx.exe
"C:\Users\Admin\AppData\Local\xpx.exe" -gav C:\Users\Admin\AppData\Local\Temp\f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e.exe
2⤵
- Executes dropped EXE
- Deletes itself
PID:1680

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\xpx.exe
Filesize
328KB

MD5
8d1c6effa663ddc8782cc4cb56f81fb6

SHA1
970cb2ddfcf29b8aad2069b5d8a04be32e94903e

SHA256
f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e

SHA512
7202e4b9043e466c059a29186727e5e919370d58e699a97c71c93161ae59fa3b25abe0422217e14a75e63b80e8835e7a91b08de3fd729ae7e39750f9f63c62d4

Download Submit
\Users\Admin\AppData\Local\xpx.exe
Filesize
328KB

MD5
8d1c6effa663ddc8782cc4cb56f81fb6

SHA1
970cb2ddfcf29b8aad2069b5d8a04be32e94903e

SHA256
f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e

SHA512
7202e4b9043e466c059a29186727e5e919370d58e699a97c71c93161ae59fa3b25abe0422217e14a75e63b80e8835e7a91b08de3fd729ae7e39750f9f63c62d4

Download Submit
\Users\Admin\AppData\Local\xpx.exe
Filesize
328KB

MD5
8d1c6effa663ddc8782cc4cb56f81fb6

SHA1
970cb2ddfcf29b8aad2069b5d8a04be32e94903e

SHA256
f2af7cd5e26a8b937e29f30fdbce846f7dc01616fe711c74da474e284185f68e

SHA512
7202e4b9043e466c059a29186727e5e919370d58e699a97c71c93161ae59fa3b25abe0422217e14a75e63b80e8835e7a91b08de3fd729ae7e39750f9f63c62d4

Download Submit
memory/1224-72-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/1224-70-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmp

Filesize
8KB

Download
memory/1680-69-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1680-62-0x0000000000000000-mapping.dmp

Download
memory/1680-68-0x0000000001EF0000-0x00000000022FF000-memory.dmp

Filesize
4.1MB

Download
memory/1680-71-0x0000000001EF0000-0x00000000022FF000-memory.dmp

Filesize
4.1MB

Download
memory/1696-59-0x0000000000230000-0x000000000034D000-memory.dmp

Filesize
1.1MB

Download
memory/1696-58-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1696-57-0x00000000020B0000-0x00000000024BF000-memory.dmp

Filesize
4.1MB

Download
memory/1696-64-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-56-0x0000000000401000-0x000000000045B000-memory.dmp

Filesize
360KB

Download
memory/1696-55-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads