84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816

General

Target

84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe
Size

286KB
MD5

91229cd6ebf3cbfb8ae88fb1a1924556
SHA1

1cd4db8797939ec61184d71272f620352e3e8320
SHA256

84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816
SHA512

29a8933363440c54d460480e3d42cb9b54529c2b328606901324b851829c73b8babd070566b7c0d2af7ba850f90af3144d8e029903388ea9ce7bfd0f6b9d2aec
SSDEEP

6144:SRsDAdas5rzOD7C6z7ZbfWp8oFNzd6q8MU/yAA02syu:b0fmDesWp8oFNzd6qI+0W

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

tja.exe

pid process

472 tja.exe

pid	process
472	tja.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

tja.exe

pid process

472 tja.exe

pid	process
472	tja.exe

Loads dropped DLL 2 IoCs

Processes:

84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe

pid	process
1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe
1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe

pid	process
1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe
1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe
1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe
1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe
1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe
1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe
1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe
1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1220 explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1220	explorer.exe
Token: SeShutdownPrivilege	1220	explorer.exe
Token: SeShutdownPrivilege	1220	explorer.exe
Token: SeShutdownPrivilege	1220	explorer.exe
Token: SeShutdownPrivilege	1220	explorer.exe
Token: SeShutdownPrivilege	1220	explorer.exe
Token: SeShutdownPrivilege	1220	explorer.exe
Token: SeShutdownPrivilege	1220	explorer.exe
Token: SeShutdownPrivilege	1220	explorer.exe
Token: SeShutdownPrivilege	1220	explorer.exe
Token: SeShutdownPrivilege	1220	explorer.exe
Token: SeShutdownPrivilege	1220	explorer.exe
Token: 33	1656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1656	AUDIODG.EXE
Token: 33	1656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1656	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

explorer.exe

pid	process
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

explorer.exe

pid	process
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe

description	pid	process	target process
PID 1812 wrote to memory of 472	1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe	tja.exe
PID 1812 wrote to memory of 472	1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe	tja.exe
PID 1812 wrote to memory of 472	1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe	tja.exe
PID 1812 wrote to memory of 472	1812	84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe	tja.exe

C:\Users\Admin\AppData\Local\Temp\84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe
"C:\Users\Admin\AppData\Local\Temp\84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\tja.exe
"C:\Users\Admin\AppData\Local\tja.exe" -gav C:\Users\Admin\AppData\Local\Temp\84de2272532b862b12c3147d9446148b069c374bf2946138688c0303e768f816.exe
2⤵
- Executes dropped EXE
- Deletes itself
PID:472

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\tja.exe
Filesize
286KB

MD5
74e54906e90bc414801e415eb234c5b6

SHA1
605b5f9792c766047a4242e2184b31009a465f23

SHA256
0cbd8d8d609ba04891d91770b8ebd12d1f66c986968075b5d2ebce297bf3abca

SHA512
ffedf7b58fe4091f2308686b3540e3eb6c1a93f984798ad62b30d29853243b8e35b43576fdbb8ff6182e597110522345b40ad3c0feb1aad5e2702ccaf12c0a22

Download Submit
\Users\Admin\AppData\Local\tja.exe
Filesize
286KB

MD5
74e54906e90bc414801e415eb234c5b6

SHA1
605b5f9792c766047a4242e2184b31009a465f23

SHA256
0cbd8d8d609ba04891d91770b8ebd12d1f66c986968075b5d2ebce297bf3abca

SHA512
ffedf7b58fe4091f2308686b3540e3eb6c1a93f984798ad62b30d29853243b8e35b43576fdbb8ff6182e597110522345b40ad3c0feb1aad5e2702ccaf12c0a22

Download Submit
\Users\Admin\AppData\Local\tja.exe
Filesize
286KB

MD5
74e54906e90bc414801e415eb234c5b6

SHA1
605b5f9792c766047a4242e2184b31009a465f23

SHA256
0cbd8d8d609ba04891d91770b8ebd12d1f66c986968075b5d2ebce297bf3abca

SHA512
ffedf7b58fe4091f2308686b3540e3eb6c1a93f984798ad62b30d29853243b8e35b43576fdbb8ff6182e597110522345b40ad3c0feb1aad5e2702ccaf12c0a22

Download Submit
memory/472-67-0x0000000000400000-0x0000000000462FA0-memory.dmp

Filesize
395KB

Download
memory/472-62-0x0000000000000000-mapping.dmp

Download
memory/472-69-0x0000000000400000-0x0000000000462FA0-memory.dmp

Filesize
395KB

Download
memory/472-70-0x0000000001F40000-0x000000000234F000-memory.dmp

Filesize
4.1MB

Download
memory/472-71-0x0000000000400000-0x0000000000462FA0-memory.dmp

Filesize
395KB

Download
memory/1220-66-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1812-58-0x0000000001D80000-0x0000000001E9D000-memory.dmp

Filesize
1.1MB

Download
memory/1812-59-0x0000000000400000-0x0000000000462FA0-memory.dmp

Filesize
395KB

Download
memory/1812-57-0x0000000001F60000-0x000000000236F000-memory.dmp

Filesize
4.1MB

Download
memory/1812-55-0x0000000000400000-0x0000000000462FA0-memory.dmp

Filesize
395KB

Download
memory/1812-56-0x0000000000401000-0x000000000045B000-memory.dmp

Filesize
360KB

Download
memory/1812-64-0x0000000000400000-0x0000000000462FA0-memory.dmp

Filesize
395KB

Download
memory/1812-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads