5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d

General

Target

5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
Size

1020KB
MD5

993bd6d2e46b2da20495aa0cfcf57d15
SHA1

165ed6f64873c3e505bf0210269234079aa42ffc
SHA256

5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d
SHA512

a33751041b518743a206ddee1f3225410db59230288808ba3698f01ba72281925ee798c48a88d644ea7bf597ce3dcaa41d9716b3313d33c777dd60822e98b7de
SSDEEP

24576:EgLTUe8B1dWKnCHFra8bYxXjzOcvmzSmWvO/5l:EgXUBzMNqzlvmzR/5

Score

9^/10

Malware Config

Signatures

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2400-135-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2400-135-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2400-135-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

BrokerInfrastructure.exeAudioEndpointBuilder.exe

pid process

4996 BrokerInfrastructure.exe
5020 AudioEndpointBuilder.exe

pid	process
4996	BrokerInfrastructure.exe
5020	AudioEndpointBuilder.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exeBrokerInfrastructure.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	BrokerInfrastructure.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

75 whatismyipaddress.com

flow	ioc
75	whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe

description	pid	process	target process
PID 3420 set thread context of 2400	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exeBrokerInfrastructure.exe

pid	process
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
4996	BrokerInfrastructure.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
4996	BrokerInfrastructure.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
4996	BrokerInfrastructure.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
4996	BrokerInfrastructure.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
4996	BrokerInfrastructure.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
4996	BrokerInfrastructure.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exeBrokerInfrastructure.exe5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exeAudioEndpointBuilder.exe

description	pid	process
Token: SeDebugPrivilege	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
Token: SeDebugPrivilege	4996	BrokerInfrastructure.exe
Token: SeDebugPrivilege	2400	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
Token: SeDebugPrivilege	5020	AudioEndpointBuilder.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exeBrokerInfrastructure.exe

description	pid	process	target process
PID 3420 wrote to memory of 2400	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
PID 3420 wrote to memory of 2400	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
PID 3420 wrote to memory of 2400	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
PID 3420 wrote to memory of 2400	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
PID 3420 wrote to memory of 2400	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
PID 3420 wrote to memory of 2400	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
PID 3420 wrote to memory of 2400	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
PID 3420 wrote to memory of 2400	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
PID 3420 wrote to memory of 4996	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	BrokerInfrastructure.exe
PID 3420 wrote to memory of 4996	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	BrokerInfrastructure.exe
PID 3420 wrote to memory of 4996	3420	5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe	BrokerInfrastructure.exe
PID 4996 wrote to memory of 5020	4996	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 4996 wrote to memory of 5020	4996	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 4996 wrote to memory of 5020	4996	BrokerInfrastructure.exe	AudioEndpointBuilder.exe

C:\Users\Admin\AppData\Local\Temp\5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
"C:\Users\Admin\AppData\Local\Temp\5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
"C:\Users\Admin\AppData\Local\Temp\5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1020KB

MD5
993bd6d2e46b2da20495aa0cfcf57d15

SHA1
165ed6f64873c3e505bf0210269234079aa42ffc

SHA256
5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d

SHA512
a33751041b518743a206ddee1f3225410db59230288808ba3698f01ba72281925ee798c48a88d644ea7bf597ce3dcaa41d9716b3313d33c777dd60822e98b7de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1020KB

MD5
993bd6d2e46b2da20495aa0cfcf57d15

SHA1
165ed6f64873c3e505bf0210269234079aa42ffc

SHA256
5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d

SHA512
a33751041b518743a206ddee1f3225410db59230288808ba3698f01ba72281925ee798c48a88d644ea7bf597ce3dcaa41d9716b3313d33c777dd60822e98b7de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
59882082f35cfab34acb407b7e95241c

SHA1
caa21d2c0d24e317b48cc6d998e70e863f5a509d

SHA256
c92ab4aa356c559b7701747f53b4a09bc0643d96e2a269493eab7b101e31950d

SHA512
727f4e41b3c742720e4efc3d734a1fe4fc2d11711cb2874151a4087727db00e437997fec8a54bf46d8e6a5af4e6ea9b12e29f763f8ae30e8d209a4bd64a4cb98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
59882082f35cfab34acb407b7e95241c

SHA1
caa21d2c0d24e317b48cc6d998e70e863f5a509d

SHA256
c92ab4aa356c559b7701747f53b4a09bc0643d96e2a269493eab7b101e31950d

SHA512
727f4e41b3c742720e4efc3d734a1fe4fc2d11711cb2874151a4087727db00e437997fec8a54bf46d8e6a5af4e6ea9b12e29f763f8ae30e8d209a4bd64a4cb98

Download Submit
memory/2400-134-0x0000000000000000-mapping.dmp

Download
memory/2400-135-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2400-136-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2400-145-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3420-133-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3420-132-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4996-140-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4996-137-0x0000000000000000-mapping.dmp

Download
memory/4996-146-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/5020-142-0x0000000000000000-mapping.dmp

Download
memory/5020-144-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/5020-147-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads