Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
Resource
win10v2004-20220812-en
General
-
Target
dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe
-
Size
301KB
-
MD5
13f76da862727530cc7c259e03f44bca
-
SHA1
6cd04794ef5095b37811c834be64490bcd6fa670
-
SHA256
dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180
-
SHA512
a34f4a4648887dbcc74728b6d5c1d911308ecc97e34ff383f86687e76c7ecf4a247f1f6307af7de5b33f8e40ac9747b1897d6fab042c28b8069fa693c2b091c9
-
SSDEEP
6144:oHbanoe0iN2i4HOpM7/hOTUo6+gACuilHbGb7d:o7aoe0iEi4HDUTUoXFiNCp
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
updater.exeSystemService.exerec.exepid process 3552 updater.exe 1672 SystemService.exe 5016 rec.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exeupdater.exeSystemService.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation updater.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SystemService.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
updater.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ATIDriver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater.exe" updater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
updater.exeSystemService.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 3552 updater.exe Token: SeDebugPrivilege 1672 SystemService.exe Token: 33 3468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3468 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exeupdater.exeSystemService.exedescription pid process target process PID 2760 wrote to memory of 3552 2760 dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe updater.exe PID 2760 wrote to memory of 3552 2760 dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe updater.exe PID 3552 wrote to memory of 1672 3552 updater.exe SystemService.exe PID 3552 wrote to memory of 1672 3552 updater.exe SystemService.exe PID 3552 wrote to memory of 1672 3552 updater.exe SystemService.exe PID 1672 wrote to memory of 5016 1672 SystemService.exe rec.exe PID 1672 wrote to memory of 5016 1672 SystemService.exe rec.exe PID 1672 wrote to memory of 5016 1672 SystemService.exe rec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe"C:\Users\Admin\AppData\Local\Temp\dcab9b10e534aba826652995f8900aed6b121e23fb86338e2f6f596ddce76180.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\updater.exe"C:\Users\Admin\AppData\Local\Temp\updater.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SystemService.exe"C:\Users\Admin\AppData\Local\Temp\SystemService.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rec.exe"C:\Users\Admin\AppData\Local\Temp\rec.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x25c 0x3bc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SystemService.exeFilesize
37KB
MD5466667cea81ad59dc210ccb3bebbfa9e
SHA1f4b2ef935d02a87939b125e5d4ac743d2ac7c892
SHA25658b48fd39ef718e5bd501f57e83b537668b13176ca682aee36402d18bd0c0733
SHA512f14c23a68dcb03839828a5a8a3ff3e50be5be0ad96750ec069180a080dbbf78972b530ba5c24f39331ac5c1b540bfb5e0791d7da124833f0b1a0b57df71e16fb
-
C:\Users\Admin\AppData\Local\Temp\SystemService.exeFilesize
37KB
MD5466667cea81ad59dc210ccb3bebbfa9e
SHA1f4b2ef935d02a87939b125e5d4ac743d2ac7c892
SHA25658b48fd39ef718e5bd501f57e83b537668b13176ca682aee36402d18bd0c0733
SHA512f14c23a68dcb03839828a5a8a3ff3e50be5be0ad96750ec069180a080dbbf78972b530ba5c24f39331ac5c1b540bfb5e0791d7da124833f0b1a0b57df71e16fb
-
C:\Users\Admin\AppData\Local\Temp\rec.exeFilesize
23KB
MD55902ced863dfbe0ed36bead2c12cf32b
SHA1b544281e6f3810421661cb97869e731400784653
SHA2564a1be7234bd87520b7f65d902d874e4dad8d42e48f53ce46dfb0ffb00cd5fee6
SHA51278ea5435a14f706d6048b119797d6d8589b3dacee54465f1b4e63b28798bfc3ed9e77b3e262a48526196b0731b136124427c1001804c2b3c7d41cef64225161c
-
C:\Users\Admin\AppData\Local\Temp\rec.exeFilesize
23KB
MD55902ced863dfbe0ed36bead2c12cf32b
SHA1b544281e6f3810421661cb97869e731400784653
SHA2564a1be7234bd87520b7f65d902d874e4dad8d42e48f53ce46dfb0ffb00cd5fee6
SHA51278ea5435a14f706d6048b119797d6d8589b3dacee54465f1b4e63b28798bfc3ed9e77b3e262a48526196b0731b136124427c1001804c2b3c7d41cef64225161c
-
C:\Users\Admin\AppData\Local\Temp\updater.exeFilesize
18KB
MD59eb3d9e045dba73f449661a2a49a9e6d
SHA11926f1727c717a1f3c95d56683f9452dc0c1a73f
SHA2569b6595980751537adf627e6107c08537de13e39752ed54c73e2b6af23e2a2769
SHA512851b639109842b4691652b60f3ce4fea7ea3669426c5bf56d3c59a94d4981e4d6e171c59edc15b53dba1ada38785e83dbfcf43ee70c144e9a3ca03d43dbf4778
-
C:\Users\Admin\AppData\Local\Temp\updater.exeFilesize
18KB
MD59eb3d9e045dba73f449661a2a49a9e6d
SHA11926f1727c717a1f3c95d56683f9452dc0c1a73f
SHA2569b6595980751537adf627e6107c08537de13e39752ed54c73e2b6af23e2a2769
SHA512851b639109842b4691652b60f3ce4fea7ea3669426c5bf56d3c59a94d4981e4d6e171c59edc15b53dba1ada38785e83dbfcf43ee70c144e9a3ca03d43dbf4778
-
memory/1672-144-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/1672-137-0x0000000000000000-mapping.dmp
-
memory/1672-139-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/3552-135-0x00007FFE840C0000-0x00007FFE84AF6000-memory.dmpFilesize
10.2MB
-
memory/3552-132-0x0000000000000000-mapping.dmp
-
memory/5016-141-0x0000000000000000-mapping.dmp
-
memory/5016-143-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/5016-145-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB