05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b

General

Target

05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
Size

21.9MB
MD5

d215f379a6d1946afd9376c92857c2a3
SHA1

975a3f866fa0ce1b8aa24c04372433c99c98f0f2
SHA256

05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b
SHA512

4b5e95c1abb437c052444d829ef60d37163622d1d4c92b6a567a0099047eb05b33ed03149a0547aef13fd8fcefa705346bcd2859f31f78a3056c831890198bac
SSDEEP

49152:Ycy52F1B2TDCbZ6MFhQjzCHrx50nxk6NKa:Yc/gM7Q/CuNKa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
436	3ddown.com_eclstar4_setup.exe

Loads dropped DLL 4 IoCs

pid	Process
1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
436	3ddown.com_eclstar4_setup.exe
436	3ddown.com_eclstar4_setup.exe
436	3ddown.com_eclstar4_setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3ddown.com_eclstar4 = "C:\\Users\\Public\\Efuj\\Awtu.exe /3ddown.com_eclstar4 /{97A9FEDF-A6DA-451C-81D0-55EF592354F2}"	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	320	AUDIODG.EXE
Token: 33	320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	320	AUDIODG.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1780	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	28
PID 1192 wrote to memory of 1780	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	28
PID 1192 wrote to memory of 1780	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	28
PID 1192 wrote to memory of 1780	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	28
PID 1192 wrote to memory of 1780	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	28
PID 1192 wrote to memory of 1780	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	28
PID 1192 wrote to memory of 1780	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	28
PID 1780 wrote to memory of 1744	1780	Net.exe	30
PID 1780 wrote to memory of 1744	1780	Net.exe	30
PID 1780 wrote to memory of 1744	1780	Net.exe	30
PID 1780 wrote to memory of 1744	1780	Net.exe	30
PID 1780 wrote to memory of 1744	1780	Net.exe	30
PID 1780 wrote to memory of 1744	1780	Net.exe	30
PID 1780 wrote to memory of 1744	1780	Net.exe	30
PID 1192 wrote to memory of 436	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	31
PID 1192 wrote to memory of 436	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	31
PID 1192 wrote to memory of 436	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	31
PID 1192 wrote to memory of 436	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	31
PID 1192 wrote to memory of 436	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	31
PID 1192 wrote to memory of 436	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	31
PID 1192 wrote to memory of 436	1192	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	31

C:\Users\Admin\AppData\Local\Temp\05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
"C:\Users\Admin\AppData\Local\Temp\05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1744
- C:\Users\Admin\AppData\Local\Temp\g82878\3ddown.com_eclstar4_setup.exe
  C:\Users\Admin\AppData\Local\Temp\g82878\3ddown.com_eclstar4_setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g82878\3ddown.com_eclstar4_setup.exe

Filesize
126KB

MD5
917caf28d774062ce6a539362d5270a1

SHA1
f08d51cd5292325578227225af43025cc8948c82

SHA256
bf82b2b66442a3387bd6aceb1999595a6419f35da8a07d76986a4b995d56fabd

SHA512
5721f5057b8776862ab58fb614bb6cb2dac2dd14aaa9548a2402078d97b2e20ae6ad53ea860b13e49bebafb7ebb3cbc81f61c5d9e9b6813d50605780c1446849

Download Submit
C:\Users\Admin\AppData\Local\Temp\g82878\3ddown.com_eclstar4_setup.exe

Filesize
126KB

MD5
917caf28d774062ce6a539362d5270a1

SHA1
f08d51cd5292325578227225af43025cc8948c82

SHA256
bf82b2b66442a3387bd6aceb1999595a6419f35da8a07d76986a4b995d56fabd

SHA512
5721f5057b8776862ab58fb614bb6cb2dac2dd14aaa9548a2402078d97b2e20ae6ad53ea860b13e49bebafb7ebb3cbc81f61c5d9e9b6813d50605780c1446849

Download Submit
\Users\Admin\AppData\Local\Temp\g82878\3ddown.com_eclstar4_setup.exe

Filesize
126KB

MD5
917caf28d774062ce6a539362d5270a1

SHA1
f08d51cd5292325578227225af43025cc8948c82

SHA256
bf82b2b66442a3387bd6aceb1999595a6419f35da8a07d76986a4b995d56fabd

SHA512
5721f5057b8776862ab58fb614bb6cb2dac2dd14aaa9548a2402078d97b2e20ae6ad53ea860b13e49bebafb7ebb3cbc81f61c5d9e9b6813d50605780c1446849

Download Submit
\Users\Admin\AppData\Local\Temp\g82878\3ddown.com_eclstar4_setup.exe

Filesize
126KB

MD5
917caf28d774062ce6a539362d5270a1

SHA1
f08d51cd5292325578227225af43025cc8948c82

SHA256
bf82b2b66442a3387bd6aceb1999595a6419f35da8a07d76986a4b995d56fabd

SHA512
5721f5057b8776862ab58fb614bb6cb2dac2dd14aaa9548a2402078d97b2e20ae6ad53ea860b13e49bebafb7ebb3cbc81f61c5d9e9b6813d50605780c1446849

Download Submit
\Users\Admin\AppData\Local\Temp\g82878\3ddown.com_eclstar4_setup.exe

Filesize
126KB

MD5
917caf28d774062ce6a539362d5270a1

SHA1
f08d51cd5292325578227225af43025cc8948c82

SHA256
bf82b2b66442a3387bd6aceb1999595a6419f35da8a07d76986a4b995d56fabd

SHA512
5721f5057b8776862ab58fb614bb6cb2dac2dd14aaa9548a2402078d97b2e20ae6ad53ea860b13e49bebafb7ebb3cbc81f61c5d9e9b6813d50605780c1446849

Download Submit
\Users\Admin\AppData\Local\Temp\g82878\3ddown.com_eclstar4_setup.exe

Filesize
126KB

MD5
917caf28d774062ce6a539362d5270a1

SHA1
f08d51cd5292325578227225af43025cc8948c82

SHA256
bf82b2b66442a3387bd6aceb1999595a6419f35da8a07d76986a4b995d56fabd

SHA512
5721f5057b8776862ab58fb614bb6cb2dac2dd14aaa9548a2402078d97b2e20ae6ad53ea860b13e49bebafb7ebb3cbc81f61c5d9e9b6813d50605780c1446849

Download Submit
memory/1192-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing