dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180

Analysis

max time kernel
53s
max time network
90s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
Size

301KB
MD5

13f76da862727530cc7c259e03f44bca
SHA1

6cd04794ef5095b37811c834be64490bcd6fa670
SHA256

dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180
SHA512

a34f4a4648887dbcc74728b6d5c1d911308ecc97e34ff383f86687e76c7ecf4a247f1f6307af7de5b33f8e40ac9747b1897d6fab042c28b8069fa693c2b091c9
SSDEEP

6144:oHbanoe0iN2i4HOpM7/hOTUo6+gACuilHbGb7d:o7aoe0iEi4HDUTUoXFiNCp

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

updater.exeSystemService.exerec.exe

pid process

1380 updater.exe
1008 SystemService.exe
796 rec.exe

pid	process
1380	updater.exe
1008	SystemService.exe
796	rec.exe

Loads dropped DLL 5 IoCs

Processes:

dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exeSystemService.exe

pid	process
1620	dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
1620	dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
1620	dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
1620	dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
1008	SystemService.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

updater.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ATIDriver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater.exe"	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1576	AUDIODG.EXE
Token: 33	1576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1576	AUDIODG.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exeupdater.exeSystemService.exe

description	pid	process	target process
PID 1620 wrote to memory of 1380	1620	dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe	updater.exe
PID 1620 wrote to memory of 1380	1620	dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe	updater.exe
PID 1620 wrote to memory of 1380	1620	dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe	updater.exe
PID 1620 wrote to memory of 1380	1620	dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe	updater.exe
PID 1380 wrote to memory of 1008	1380	updater.exe	SystemService.exe
PID 1380 wrote to memory of 1008	1380	updater.exe	SystemService.exe
PID 1380 wrote to memory of 1008	1380	updater.exe	SystemService.exe
PID 1380 wrote to memory of 1008	1380	updater.exe	SystemService.exe
PID 1380 wrote to memory of 1008	1380	updater.exe	SystemService.exe
PID 1380 wrote to memory of 1008	1380	updater.exe	SystemService.exe
PID 1380 wrote to memory of 1008	1380	updater.exe	SystemService.exe
PID 1008 wrote to memory of 796	1008	SystemService.exe	rec.exe
PID 1008 wrote to memory of 796	1008	SystemService.exe	rec.exe
PID 1008 wrote to memory of 796	1008	SystemService.exe	rec.exe
PID 1008 wrote to memory of 796	1008	SystemService.exe	rec.exe
PID 1008 wrote to memory of 796	1008	SystemService.exe	rec.exe
PID 1008 wrote to memory of 796	1008	SystemService.exe	rec.exe
PID 1008 wrote to memory of 796	1008	SystemService.exe	rec.exe

C:\Users\Admin\AppData\Local\Temp\dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
"C:\Users\Admin\AppData\Local\Temp\dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\updater.exe
"C:\Users\Admin\AppData\Local\Temp\updater.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\SystemService.exe
"C:\Users\Admin\AppData\Local\Temp\SystemService.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\rec.exe
"C:\Users\Admin\AppData\Local\Temp\rec.exe"
4⤵
- Executes dropped EXE
PID:796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x480
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SystemService.exe
Filesize
37KB

MD5
466667cea81ad59dc210ccb3bebbfa9e

SHA1
f4b2ef935d02a87939b125e5d4ac743d2ac7c892

SHA256
58b48fd39ef718e5bd501f57e83b537668b13176ca682aee36402d18bd0c0733

SHA512
f14c23a68dcb03839828a5a8a3ff3e50be5be0ad96750ec069180a080dbbf78972b530ba5c24f39331ac5c1b540bfb5e0791d7da124833f0b1a0b57df71e16fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemService.exe
Filesize
37KB

MD5
466667cea81ad59dc210ccb3bebbfa9e

SHA1
f4b2ef935d02a87939b125e5d4ac743d2ac7c892

SHA256
58b48fd39ef718e5bd501f57e83b537668b13176ca682aee36402d18bd0c0733

SHA512
f14c23a68dcb03839828a5a8a3ff3e50be5be0ad96750ec069180a080dbbf78972b530ba5c24f39331ac5c1b540bfb5e0791d7da124833f0b1a0b57df71e16fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rec.exe
Filesize
23KB

MD5
5902ced863dfbe0ed36bead2c12cf32b

SHA1
b544281e6f3810421661cb97869e731400784653

SHA256
4a1be7234bd87520b7f65d902d874e4dad8d42e48f53ce46dfb0ffb00cd5fee6

SHA512
78ea5435a14f706d6048b119797d6d8589b3dacee54465f1b4e63b28798bfc3ed9e77b3e262a48526196b0731b136124427c1001804c2b3c7d41cef64225161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rec.exe
Filesize
23KB

MD5
5902ced863dfbe0ed36bead2c12cf32b

SHA1
b544281e6f3810421661cb97869e731400784653

SHA256
4a1be7234bd87520b7f65d902d874e4dad8d42e48f53ce46dfb0ffb00cd5fee6

SHA512
78ea5435a14f706d6048b119797d6d8589b3dacee54465f1b4e63b28798bfc3ed9e77b3e262a48526196b0731b136124427c1001804c2b3c7d41cef64225161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe
Filesize
18KB

MD5
9eb3d9e045dba73f449661a2a49a9e6d

SHA1
1926f1727c717a1f3c95d56683f9452dc0c1a73f

SHA256
9b6595980751537adf627e6107c08537de13e39752ed54c73e2b6af23e2a2769

SHA512
851b639109842b4691652b60f3ce4fea7ea3669426c5bf56d3c59a94d4981e4d6e171c59edc15b53dba1ada38785e83dbfcf43ee70c144e9a3ca03d43dbf4778

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe
Filesize
18KB

MD5
9eb3d9e045dba73f449661a2a49a9e6d

SHA1
1926f1727c717a1f3c95d56683f9452dc0c1a73f

SHA256
9b6595980751537adf627e6107c08537de13e39752ed54c73e2b6af23e2a2769

SHA512
851b639109842b4691652b60f3ce4fea7ea3669426c5bf56d3c59a94d4981e4d6e171c59edc15b53dba1ada38785e83dbfcf43ee70c144e9a3ca03d43dbf4778

Download Submit
\Users\Admin\AppData\Local\Temp\rec.exe
Filesize
23KB

MD5
5902ced863dfbe0ed36bead2c12cf32b

SHA1
b544281e6f3810421661cb97869e731400784653

SHA256
4a1be7234bd87520b7f65d902d874e4dad8d42e48f53ce46dfb0ffb00cd5fee6

SHA512
78ea5435a14f706d6048b119797d6d8589b3dacee54465f1b4e63b28798bfc3ed9e77b3e262a48526196b0731b136124427c1001804c2b3c7d41cef64225161c

Download Submit
\Users\Admin\AppData\Local\Temp\updater.exe
Filesize
18KB

MD5
9eb3d9e045dba73f449661a2a49a9e6d

SHA1
1926f1727c717a1f3c95d56683f9452dc0c1a73f

SHA256
9b6595980751537adf627e6107c08537de13e39752ed54c73e2b6af23e2a2769

SHA512
851b639109842b4691652b60f3ce4fea7ea3669426c5bf56d3c59a94d4981e4d6e171c59edc15b53dba1ada38785e83dbfcf43ee70c144e9a3ca03d43dbf4778

Download Submit
\Users\Admin\AppData\Local\Temp\updater.exe
Filesize
18KB

MD5
9eb3d9e045dba73f449661a2a49a9e6d

SHA1
1926f1727c717a1f3c95d56683f9452dc0c1a73f

SHA256
9b6595980751537adf627e6107c08537de13e39752ed54c73e2b6af23e2a2769

SHA512
851b639109842b4691652b60f3ce4fea7ea3669426c5bf56d3c59a94d4981e4d6e171c59edc15b53dba1ada38785e83dbfcf43ee70c144e9a3ca03d43dbf4778

Download Submit
\Users\Admin\AppData\Local\Temp\updater.exe
Filesize
18KB

MD5
9eb3d9e045dba73f449661a2a49a9e6d

SHA1
1926f1727c717a1f3c95d56683f9452dc0c1a73f

SHA256
9b6595980751537adf627e6107c08537de13e39752ed54c73e2b6af23e2a2769

SHA512
851b639109842b4691652b60f3ce4fea7ea3669426c5bf56d3c59a94d4981e4d6e171c59edc15b53dba1ada38785e83dbfcf43ee70c144e9a3ca03d43dbf4778

Download Submit
\Users\Admin\AppData\Local\Temp\updater.exe
Filesize
18KB

MD5
9eb3d9e045dba73f449661a2a49a9e6d

SHA1
1926f1727c717a1f3c95d56683f9452dc0c1a73f

SHA256
9b6595980751537adf627e6107c08537de13e39752ed54c73e2b6af23e2a2769

SHA512
851b639109842b4691652b60f3ce4fea7ea3669426c5bf56d3c59a94d4981e4d6e171c59edc15b53dba1ada38785e83dbfcf43ee70c144e9a3ca03d43dbf4778

Download Submit
memory/796-75-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/796-77-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/796-72-0x0000000000000000-mapping.dmp

Download
memory/1008-76-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/1008-66-0x0000000000000000-mapping.dmp

Download
memory/1008-69-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/1380-59-0x0000000000000000-mapping.dmp

Download
memory/1380-64-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1380-63-0x000007FEF2E30000-0x000007FEF3EC6000-memory.dmp

Filesize
16.6MB

Download
memory/1380-62-0x000007FEF3ED0000-0x000007FEF48F3000-memory.dmp

Filesize
10.1MB

Download
memory/1620-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download