dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180

General

Target

dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
Size

301KB
MD5

13f76da862727530cc7c259e03f44bca
SHA1

6cd04794ef5095b37811c834be64490bcd6fa670
SHA256

dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180
SHA512

a34f4a4648887dbcc74728b6d5c1d911308ecc97e34ff383f86687e76c7ecf4a247f1f6307af7de5b33f8e40ac9747b1897d6fab042c28b8069fa693c2b091c9
SSDEEP

6144:oHbanoe0iN2i4HOpM7/hOTUo6+gACuilHbGb7d:o7aoe0iEi4HDUTUoXFiNCp

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

updater.exeSystemService.exerec.exe

pid process

3552 updater.exe
1672 SystemService.exe
5016 rec.exe

pid	process
3552	updater.exe
1672	SystemService.exe
5016	rec.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exeupdater.exeSystemService.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	SystemService.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

updater.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ATIDriver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater.exe"	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

updater.exeSystemService.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	3552	updater.exe
Token: SeDebugPrivilege	1672	SystemService.exe
Token: 33	3468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3468	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exeupdater.exeSystemService.exe

description	pid	process	target process
PID 2760 wrote to memory of 3552	2760	dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe	updater.exe
PID 2760 wrote to memory of 3552	2760	dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe	updater.exe
PID 3552 wrote to memory of 1672	3552	updater.exe	SystemService.exe
PID 3552 wrote to memory of 1672	3552	updater.exe	SystemService.exe
PID 3552 wrote to memory of 1672	3552	updater.exe	SystemService.exe
PID 1672 wrote to memory of 5016	1672	SystemService.exe	rec.exe
PID 1672 wrote to memory of 5016	1672	SystemService.exe	rec.exe
PID 1672 wrote to memory of 5016	1672	SystemService.exe	rec.exe

C:\Users\Admin\AppData\Local\Temp\dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
"C:\Users\Admin\AppData\Local\Temp\dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\updater.exe
"C:\Users\Admin\AppData\Local\Temp\updater.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\SystemService.exe
"C:\Users\Admin\AppData\Local\Temp\SystemService.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\rec.exe
"C:\Users\Admin\AppData\Local\Temp\rec.exe"
4⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x25c 0x3bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SystemService.exe
Filesize
37KB

MD5
466667cea81ad59dc210ccb3bebbfa9e

SHA1
f4b2ef935d02a87939b125e5d4ac743d2ac7c892

SHA256
58b48fd39ef718e5bd501f57e83b537668b13176ca682aee36402d18bd0c0733

SHA512
f14c23a68dcb03839828a5a8a3ff3e50be5be0ad96750ec069180a080dbbf78972b530ba5c24f39331ac5c1b540bfb5e0791d7da124833f0b1a0b57df71e16fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemService.exe
Filesize
37KB

MD5
466667cea81ad59dc210ccb3bebbfa9e

SHA1
f4b2ef935d02a87939b125e5d4ac743d2ac7c892

SHA256
58b48fd39ef718e5bd501f57e83b537668b13176ca682aee36402d18bd0c0733

SHA512
f14c23a68dcb03839828a5a8a3ff3e50be5be0ad96750ec069180a080dbbf78972b530ba5c24f39331ac5c1b540bfb5e0791d7da124833f0b1a0b57df71e16fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rec.exe
Filesize
23KB

MD5
5902ced863dfbe0ed36bead2c12cf32b

SHA1
b544281e6f3810421661cb97869e731400784653

SHA256
4a1be7234bd87520b7f65d902d874e4dad8d42e48f53ce46dfb0ffb00cd5fee6

SHA512
78ea5435a14f706d6048b119797d6d8589b3dacee54465f1b4e63b28798bfc3ed9e77b3e262a48526196b0731b136124427c1001804c2b3c7d41cef64225161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rec.exe
Filesize
23KB

MD5
5902ced863dfbe0ed36bead2c12cf32b

SHA1
b544281e6f3810421661cb97869e731400784653

SHA256
4a1be7234bd87520b7f65d902d874e4dad8d42e48f53ce46dfb0ffb00cd5fee6

SHA512
78ea5435a14f706d6048b119797d6d8589b3dacee54465f1b4e63b28798bfc3ed9e77b3e262a48526196b0731b136124427c1001804c2b3c7d41cef64225161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe
Filesize
18KB

MD5
9eb3d9e045dba73f449661a2a49a9e6d

SHA1
1926f1727c717a1f3c95d56683f9452dc0c1a73f

SHA256
9b6595980751537adf627e6107c08537de13e39752ed54c73e2b6af23e2a2769

SHA512
851b639109842b4691652b60f3ce4fea7ea3669426c5bf56d3c59a94d4981e4d6e171c59edc15b53dba1ada38785e83dbfcf43ee70c144e9a3ca03d43dbf4778

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe
Filesize
18KB

MD5
9eb3d9e045dba73f449661a2a49a9e6d

SHA1
1926f1727c717a1f3c95d56683f9452dc0c1a73f

SHA256
9b6595980751537adf627e6107c08537de13e39752ed54c73e2b6af23e2a2769

SHA512
851b639109842b4691652b60f3ce4fea7ea3669426c5bf56d3c59a94d4981e4d6e171c59edc15b53dba1ada38785e83dbfcf43ee70c144e9a3ca03d43dbf4778

Download Submit
memory/1672-144-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/1672-137-0x0000000000000000-mapping.dmp

Download
memory/1672-139-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3552-135-0x00007FFE840C0000-0x00007FFE84AF6000-memory.dmp

Filesize
10.2MB

Download
memory/3552-132-0x0000000000000000-mapping.dmp

Download
memory/5016-141-0x0000000000000000-mapping.dmp

Download
memory/5016-143-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/5016-145-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads