55574524900a8fb459d0050a00c64ac409c66c58084409e7492aec96cb265dd7

General

Target

55574524900a8fb459d0050a00c64ac409c66c58084409e7492aec96cb265dd7.exe
Size

27KB
MD5

0c9ee4a8c45b7a5ce276bf629025b5ef
SHA1

1b0a1ae737c9377eaf4bf406afd3870c8144d136
SHA256

55574524900a8fb459d0050a00c64ac409c66c58084409e7492aec96cb265dd7
SHA512

6fb7355bbdeca1c47de3473bcb3d414504266a92ff4c4ff586fe7918497a7f7604c78daf1239372cf79929f425130a7bbd79717e69b23e30187f58c0ff3eec95
SSDEEP

384:u5kAWwLQORlWwOkmEzrU97+KqOyVWZpHVP8NkJ4snGF1DS5+W9781i5GiW4tDSh5:08O/WwOFIrugE4Ni8LzOilveez19zf

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
896	55574524900a8fb459d0050a00c64ac409c66c58084409e7492aec96cb265dd7.exe
896	55574524900a8fb459d0050a00c64ac409c66c58084409e7492aec96cb265dd7.exe
896	55574524900a8fb459d0050a00c64ac409c66c58084409e7492aec96cb265dd7.exe
896	55574524900a8fb459d0050a00c64ac409c66c58084409e7492aec96cb265dd7.exe
896	55574524900a8fb459d0050a00c64ac409c66c58084409e7492aec96cb265dd7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1824	explorer.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	896	55574524900a8fb459d0050a00c64ac409c66c58084409e7492aec96cb265dd7.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: 33	1532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1532	AUDIODG.EXE
Token: 33	1532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1532	AUDIODG.EXE
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe

C:\Users\Admin\AppData\Local\Temp\55574524900a8fb459d0050a00c64ac409c66c58084409e7492aec96cb265dd7.exe
"C:\Users\Admin\AppData\Local\Temp\55574524900a8fb459d0050a00c64ac409c66c58084409e7492aec96cb265dd7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/896-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/896-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/896-56-0x0000000001FB0000-0x00000000023B7000-memory.dmp

Filesize
4.0MB

Download
memory/1824-57-0x000007FEFC0B1000-0x000007FEFC0B3000-memory.dmp

Filesize
8KB

Download
memory/1824-58-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing