962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a

General

Target

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Size

298KB
MD5

93caba46f3c5d9aeb9c9fad652a57361
SHA1

1473a0d514eae8cf4b829d552817becc5acb586a
SHA256

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a
SHA512

ce48dee408cc1acc25e15c0e9354b1fa35c30e33a12a6b66346dd0a35d2668a05d5f01ed43be2c1709fbe1dce287e57a30fa18a7983a15b96e2461f334c8d922
SSDEEP

6144:I7YfIbo3sjP3PN/dfomL4ZPba/Oauy26UjD5uL:I7tbSsD31FxCevpzUjD5uL

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\juqsvyqvq.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\juqsvyqvq.exe\DisableExceptionChainValidation	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description ioc process

File created C:\ProgramData\CreativeAudio\desktop.ini 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	ioc	process
File created	C:\ProgramData\CreativeAudio\desktop.ini	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	pid	process	target process
PID 1484 set thread context of 1020	1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1668 schtasks.exe

pid	process
1668	schtasks.exe

Modifies registry class 7 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{C6B99057-3FAA-FB4F-BC05-25551BA8209D}\0E7302EC	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{C6B99057-3FAA-FB4F-BC05-25551BA8209D}\0E7302EC\CG1\HAL = 05ee0000	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{C6B99057-3FAA-FB4F-BC05-25551BA8209D}\0E7302EC\ê'µt3	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{C6B99057-3FAA-FB4F-BC05-25551BA8209D}\0E7302EC\ê'µt3\BID = 2000080019000b00e60700001400000019000e0016001400000000009ccf8063	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{C6B99057-3FAA-FB4F-BC05-25551BA8209D}\0E7302EC\CG1	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{C6B99057-3FAA-FB4F-BC05-25551BA8209D}	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

pid	process
1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

pid	process
1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

pid process

1020 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	pid	process
Token: SeRestorePrivilege	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Token: SeBackupPrivilege	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Token: SeDebugPrivilege	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	pid	process	target process
PID 1484 wrote to memory of 1020	1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 1484 wrote to memory of 1020	1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 1484 wrote to memory of 1020	1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 1484 wrote to memory of 1020	1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 1484 wrote to memory of 1020	1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 1484 wrote to memory of 1020	1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 1484 wrote to memory of 1020	1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 1484 wrote to memory of 1020	1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 1484 wrote to memory of 1020	1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 1484 wrote to memory of 1020	1484	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 1020 wrote to memory of 1668	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	schtasks.exe
PID 1020 wrote to memory of 1668	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	schtasks.exe
PID 1020 wrote to memory of 1668	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	schtasks.exe
PID 1020 wrote to memory of 1668	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	schtasks.exe
PID 1020 wrote to memory of 732	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	WerFault.exe
PID 1020 wrote to memory of 732	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	WerFault.exe
PID 1020 wrote to memory of 732	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	WerFault.exe
PID 1020 wrote to memory of 732	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	WerFault.exe
PID 1020 wrote to memory of 732	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	WerFault.exe
PID 1020 wrote to memory of 732	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	WerFault.exe
PID 1020 wrote to memory of 732	1020	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
"C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
"C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe"
2⤵
- Sets file execution options in registry
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x0E7302EC" /TR "C:\ProgramData\CreativeAudio\juqsvyqvq.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1668

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
3⤵
PID:732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Security Software Discovery

1

T1063

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/732-72-0x0000000000000000-mapping.dmp

Download
memory/732-77-0x0000000000190000-0x0000000000229000-memory.dmp

Filesize
612KB

Download
memory/732-76-0x0000000077200000-0x0000000077381000-memory.dmp

Filesize
1.5MB

Download
memory/732-75-0x0000000000190000-0x0000000000229000-memory.dmp

Filesize
612KB

Download
memory/732-74-0x0000000077200000-0x0000000077381000-memory.dmp

Filesize
1.5MB

Download
memory/1020-67-0x00000000002C0000-0x000000000030B000-memory.dmp

Filesize
300KB

Download
memory/1020-69-0x00000000002C0000-0x000000000030B000-memory.dmp

Filesize
300KB

Download
memory/1020-62-0x000000000040120A-mapping.dmp

Download
memory/1020-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1020-66-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1020-55-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1020-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1020-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1020-70-0x00000000005D0000-0x00000000005DB000-memory.dmp

Filesize
44KB

Download
memory/1020-56-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1020-73-0x00000000002C0000-0x000000000030B000-memory.dmp

Filesize
300KB

Download
memory/1020-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1020-58-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1020-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1484-54-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1668-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads