eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9

Analysis

max time kernel
144s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Size

1003KB
MD5

7246a9eea074161e8ad973fd2906ed6e
SHA1

c204ca7a88601774f11e12daad47ec7d484e4e76
SHA256

eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9
SHA512

7af1a680c26d6074e4b9660de14d5d9249057d4a6c7beec146ce1297163277a2e2e3cc091afeca4e8633ffc0c734c11fc18a82f3b368c1bcac52ce85c7e7413f
SSDEEP

24576:Z5VmxtbjHpREieEYWQh/NFnNSq2weE3/ld2pAgf:ZetbDpREieJWQh1FnNSUeE3/uDf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
268	File.exe

Loads dropped DLL 3 IoCs

pid	Process
1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
268	File.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\BASSMOD.dll	File.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: 33	1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: SeIncBasePriorityPrivilege	1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: 33	1804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1804	AUDIODG.EXE
Token: 33	1804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1804	AUDIODG.EXE
Token: SeDebugPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe
Token: 33	268	File.exe
Token: SeIncBasePriorityPrivilege	268	File.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 268	1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	28
PID 1152 wrote to memory of 268	1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	28
PID 1152 wrote to memory of 268	1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	28
PID 1152 wrote to memory of 268	1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	28
PID 1152 wrote to memory of 1400	1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	29
PID 1152 wrote to memory of 1400	1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	29
PID 1152 wrote to memory of 1400	1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	29
PID 1152 wrote to memory of 1400	1152	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	29

C:\Users\Admin\AppData\Local\Temp\eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
"C:\Users\Admin\AppData\Local\Temp\eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Users\Admin\AppData\Local\Temp\eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
  C:\Users\Admin\AppData\Local\Temp\eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
  2⤵
  PID:1400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
152KB

MD5
86876e49f7f1f48e5c57fddd3b39f21a

SHA1
d6069a67f5d43d1a8db62d4d3cc03dddd6c682d1

SHA256
e8460de213cc97a76809d029862435d32c9c2a720a8271b244b5a9971023e6ec

SHA512
11d64930dae3b9e6d42b40c4b15af1155a0fad2e22cd28f49bc03e25775cc99ec7f5df1d643db49dcb6f7e2ff1cf251624d2c57bc4fdb149bdfa05c78b14128c

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
152KB

MD5
86876e49f7f1f48e5c57fddd3b39f21a

SHA1
d6069a67f5d43d1a8db62d4d3cc03dddd6c682d1

SHA256
e8460de213cc97a76809d029862435d32c9c2a720a8271b244b5a9971023e6ec

SHA512
11d64930dae3b9e6d42b40c4b15af1155a0fad2e22cd28f49bc03e25775cc99ec7f5df1d643db49dcb6f7e2ff1cf251624d2c57bc4fdb149bdfa05c78b14128c

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
152KB

MD5
86876e49f7f1f48e5c57fddd3b39f21a

SHA1
d6069a67f5d43d1a8db62d4d3cc03dddd6c682d1

SHA256
e8460de213cc97a76809d029862435d32c9c2a720a8271b244b5a9971023e6ec

SHA512
11d64930dae3b9e6d42b40c4b15af1155a0fad2e22cd28f49bc03e25775cc99ec7f5df1d643db49dcb6f7e2ff1cf251624d2c57bc4fdb149bdfa05c78b14128c

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
152KB

MD5
86876e49f7f1f48e5c57fddd3b39f21a

SHA1
d6069a67f5d43d1a8db62d4d3cc03dddd6c682d1

SHA256
e8460de213cc97a76809d029862435d32c9c2a720a8271b244b5a9971023e6ec

SHA512
11d64930dae3b9e6d42b40c4b15af1155a0fad2e22cd28f49bc03e25775cc99ec7f5df1d643db49dcb6f7e2ff1cf251624d2c57bc4fdb149bdfa05c78b14128c

Download Submit
\Windows\SysWOW64\BASSMOD.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
memory/268-63-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/268-65-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/268-67-0x0000000001FD6000-0x0000000001FE7000-memory.dmp

Filesize
68KB

Download
memory/268-68-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/268-69-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/268-70-0x0000000001FD6000-0x0000000001FE7000-memory.dmp

Filesize
68KB

Download
memory/1152-56-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1152-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1152-55-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1152-66-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download