05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b

Analysis

max time kernel
190s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
Size

21.9MB
MD5

d215f379a6d1946afd9376c92857c2a3
SHA1

975a3f866fa0ce1b8aa24c04372433c99c98f0f2
SHA256

05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b
SHA512

4b5e95c1abb437c052444d829ef60d37163622d1d4c92b6a567a0099047eb05b33ed03149a0547aef13fd8fcefa705346bcd2859f31f78a3056c831890198bac
SSDEEP

49152:Ycy52F1B2TDCbZ6MFhQjzCHrx50nxk6NKa:Yc/gM7Q/CuNKa

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4584	3ddown.com_eclstar4_setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3ddown.com_eclstar4 = "C:\\Program Files\\Odbir\\Hkorn.exe /3ddown.com_eclstar4 /{7F9F480F-75A6-48BA-9C6F-1710A6FC7268}"	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\MSPat.xml	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
File created	C:\Program Files\Odbir\faxos.exe	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
File created	C:\Program Files\Common Files\System\Ole DB\MSPat.xml	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
File opened for modification	C:\Program Files\Odbir\lizos.exe	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
File created	C:\Program Files\Odbir\mezsea\pat.xml	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
File opened for modification	C:\Program Files\Odbir\mezsea\pat.xml	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
File created	C:\Program Files\Odbir\mezsea\tedoes.dll	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
File opened for modification	C:\Program Files\Odbir\mezsea\tedoes.dll	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
File opened for modification	C:\Program Files\Odbir\faxos.exe	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
File created	C:\Program Files\Odbir\lizos.exe	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3448	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3448	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 4584	1196	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	84
PID 1196 wrote to memory of 4584	1196	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	84
PID 1196 wrote to memory of 4584	1196	05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe	84

C:\Users\Admin\AppData\Local\Temp\05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe
"C:\Users\Admin\AppData\Local\Temp\05f4d80acbe657f195228faf87b9723922790b170a9b6aa14d193553f1bbd46b.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\g85E9B\3ddown.com_eclstar4_setup.exe
  C:\Users\Admin\AppData\Local\Temp\g85E9B\3ddown.com_eclstar4_setup.exe
  2⤵
  - Executes dropped EXE
  PID:4584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x484 0x424
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g85E9B\3ddown.com_eclstar4_setup.exe

Filesize
126KB

MD5
917caf28d774062ce6a539362d5270a1

SHA1
f08d51cd5292325578227225af43025cc8948c82

SHA256
bf82b2b66442a3387bd6aceb1999595a6419f35da8a07d76986a4b995d56fabd

SHA512
5721f5057b8776862ab58fb614bb6cb2dac2dd14aaa9548a2402078d97b2e20ae6ad53ea860b13e49bebafb7ebb3cbc81f61c5d9e9b6813d50605780c1446849

Download Submit
C:\Users\Admin\AppData\Local\Temp\g85E9B\3ddown.com_eclstar4_setup.exe

Filesize
126KB

MD5
917caf28d774062ce6a539362d5270a1

SHA1
f08d51cd5292325578227225af43025cc8948c82

SHA256
bf82b2b66442a3387bd6aceb1999595a6419f35da8a07d76986a4b995d56fabd

SHA512
5721f5057b8776862ab58fb614bb6cb2dac2dd14aaa9548a2402078d97b2e20ae6ad53ea860b13e49bebafb7ebb3cbc81f61c5d9e9b6813d50605780c1446849

Download Submit