c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92

General

Target

c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exe
Size

2.6MB
MD5

7648846df72d835112bcd047ea02b694
SHA1

bc72344d96a5bb37f7a58fbad6dd8ca3e2c585d5
SHA256

c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92
SHA512

5a6d744a658ac01b919a8a6725a5b30339949bcd753d2824f12583514cf2caa93132debf6169ba6cb18efdb45ad08a99e4d42936903a87f7b2ec3bfb59ef0fcc
SSDEEP

49152:x00WC6D14V2udOmEGz2wzdqMAtpmDv3HWlJg7ygO5Dbs7:x01KRoGz2wxqMAtcv32l7BQ

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

LocalbQyOSslHRh.exesystem.exe

pid process

4156 LocalbQyOSslHRh.exe
4972 system.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1296 netsh.exe

pid	process
4156	LocalbQyOSslHRh.exe
4972	system.exe

pid	process
1296	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LocalbQyOSslHRh.exec03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	LocalbQyOSslHRh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exe

Drops startup file 2 IoCs

Processes:

system.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dae31c02cb06222e776b9ccb9207edb1.exe	system.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dae31c02cb06222e776b9ccb9207edb1.exe	system.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .."	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .."	system.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

LocalbQyOSslHRh.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	LocalbQyOSslHRh.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	LocalbQyOSslHRh.exe

Drops file in Windows directory 3 IoCs

Processes:

LocalbQyOSslHRh.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	LocalbQyOSslHRh.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	LocalbQyOSslHRh.exe
File opened for modification	C:\Windows\assembly	LocalbQyOSslHRh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

4828 vlc.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

system.exe

pid	process
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe
4972	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

4828 vlc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

AUDIODG.EXEvlc.exesystem.exe

description	pid	process
Token: 33	2804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2804	AUDIODG.EXE
Token: 33	4828	vlc.exe
Token: SeIncBasePriorityPrivilege	4828	vlc.exe
Token: SeDebugPrivilege	4972	system.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

vlc.exe

pid	process
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe
4828	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

vlc.exe

pid process

4828 vlc.exe
4828 vlc.exe
4828 vlc.exe
4828 vlc.exe
4828 vlc.exe
4828 vlc.exe
4828 vlc.exe
4828 vlc.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

vlc.exe

pid process

4828 vlc.exe
4828 vlc.exe
4828 vlc.exe
4828 vlc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exeLocalbQyOSslHRh.exesystem.exe

description	pid	process	target process
PID 1560 wrote to memory of 4156	1560	c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exe	LocalbQyOSslHRh.exe
PID 1560 wrote to memory of 4156	1560	c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exe	LocalbQyOSslHRh.exe
PID 1560 wrote to memory of 4828	1560	c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exe	vlc.exe
PID 1560 wrote to memory of 4828	1560	c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exe	vlc.exe
PID 4156 wrote to memory of 4972	4156	LocalbQyOSslHRh.exe	system.exe
PID 4156 wrote to memory of 4972	4156	LocalbQyOSslHRh.exe	system.exe
PID 4972 wrote to memory of 1296	4972	system.exe	netsh.exe
PID 4972 wrote to memory of 1296	4972	system.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exe
"C:\Users\Admin\AppData\Local\Temp\c03b34fc27465c8792100644aed3211ae28025fbf106b5a26753f1ed3269ca92.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\LocalbQyOSslHRh.exe
  "C:\Users\Admin\AppData\LocalbQyOSslHRh.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Roaming\system.exe
    "C:\Users\Admin\AppData\Roaming\system.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\system.exe" "system.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1296
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\LocalzPmWTNcKAv.MP3"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4828

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x418
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalbQyOSslHRh.exe

Filesize
796KB

MD5
5bc64454987e8be50da8b62118d0b36e

SHA1
0aa757b6e1c43c8429c29c413f15b14476035f25

SHA256
2d4b760f956ad516c251e4036b05de51440751966537e618a6c5f6bd9396f399

SHA512
d425f9d90489a0aee34ae55eefc5b6f789084ccabe11402c1c77d92db14b5974a41de0f5b4cbdeeb12bead8fc16d2f853db514046802d8aaaf3f36db17077c73

Download Submit
C:\Users\Admin\AppData\LocalbQyOSslHRh.exe

Filesize
796KB

MD5
5bc64454987e8be50da8b62118d0b36e

SHA1
0aa757b6e1c43c8429c29c413f15b14476035f25

SHA256
2d4b760f956ad516c251e4036b05de51440751966537e618a6c5f6bd9396f399

SHA512
d425f9d90489a0aee34ae55eefc5b6f789084ccabe11402c1c77d92db14b5974a41de0f5b4cbdeeb12bead8fc16d2f853db514046802d8aaaf3f36db17077c73

Download Submit
C:\Users\Admin\AppData\LocalzPmWTNcKAv.MP3

Filesize
1.7MB

MD5
9422de3327f4f7f6b9b365c225bbbecb

SHA1
3e45d51ab6aac822bfc5e4ed6bf57c3354e32627

SHA256
c5b7940a7bfcc867cb7780390c1bfd1f0e3aaed7845c42b31cdc61a382ae5b24

SHA512
998cc7a37c5a12b359017cdf015c584a7c84d30296a1a1cc76e49ee8c3af488ab38aa461a490679b14d6caa03e40ec16c86a3667b5e6101102a00571f47d07f0

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe

Filesize
796KB

MD5
5bc64454987e8be50da8b62118d0b36e

SHA1
0aa757b6e1c43c8429c29c413f15b14476035f25

SHA256
2d4b760f956ad516c251e4036b05de51440751966537e618a6c5f6bd9396f399

SHA512
d425f9d90489a0aee34ae55eefc5b6f789084ccabe11402c1c77d92db14b5974a41de0f5b4cbdeeb12bead8fc16d2f853db514046802d8aaaf3f36db17077c73

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe

Filesize
796KB

MD5
5bc64454987e8be50da8b62118d0b36e

SHA1
0aa757b6e1c43c8429c29c413f15b14476035f25

SHA256
2d4b760f956ad516c251e4036b05de51440751966537e618a6c5f6bd9396f399

SHA512
d425f9d90489a0aee34ae55eefc5b6f789084ccabe11402c1c77d92db14b5974a41de0f5b4cbdeeb12bead8fc16d2f853db514046802d8aaaf3f36db17077c73

Download Submit
memory/1296-143-0x0000000000000000-mapping.dmp

Download
memory/1560-132-0x00007FFA05790000-0x00007FFA061C6000-memory.dmp

Filesize
10.2MB

Download
memory/4156-133-0x0000000000000000-mapping.dmp

Download
memory/4156-136-0x00007FFA05790000-0x00007FFA061C6000-memory.dmp

Filesize
10.2MB

Download
memory/4828-137-0x0000000000000000-mapping.dmp

Download
memory/4972-139-0x0000000000000000-mapping.dmp

Download
memory/4972-142-0x00007FFA03CA0000-0x00007FFA046D6000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads