e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f

General

Target

e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
Size

1.3MB
MD5

f60f1039d3d2edb2aac7114ad53c973b
SHA1

0f1a1f068b50726f1b31d32f2a848d89eff6fd57
SHA256

e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f
SHA512

03e321a7fbdea343f95ed47533fd30ad2955b714b8a6d494c00c556d5e178ef11e7e1052b0660fc7f75af523496121dc79006d792e1028c9065aae302bfa8428
SSDEEP

24576:gZusv/DwNLHPJH6pYCkeKW/8XwQmRtPF+mviWavPzGLgO2uptmh:vsv/GvtkHKW/8XwQUhahyLgwpt+

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	serverr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sqlserver.exe

Executes dropped EXE 2 IoCs

pid	Process
4136	serverr.exe
3776	sqlserver.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4412	netsh.exe
4176	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	serverr.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74b62a045122cbb3b8a2a67a7555083b.exe	sqlserver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74b62a045122cbb3b8a2a67a7555083b.exe	sqlserver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74b62a045122cbb3b8a2a67a7555083b = "\"C:\\Program Files (x86)\\sqlserver.exe\" .."	sqlserver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\74b62a045122cbb3b8a2a67a7555083b = "\"C:\\Program Files (x86)\\sqlserver.exe\" .."	sqlserver.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	serverr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	serverr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sqlserver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sqlserver.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\sqlserver.exe	serverr.exe
File opened for modification	C:\Program Files (x86)\sqlserver.exe.log	sqlserver.exe
File created	C:\Program Files (x86)\sqlserver.exe	serverr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1952	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
1952	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
1952	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
1952	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	3056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3056	AUDIODG.EXE
Token: SeDebugPrivilege	4136	serverr.exe
Token: 33	4136	serverr.exe
Token: SeIncBasePriorityPrivilege	4136	serverr.exe
Token: SeDebugPrivilege	3776	sqlserver.exe
Token: 33	3776	sqlserver.exe
Token: SeIncBasePriorityPrivilege	3776	sqlserver.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1952	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
1952	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
3776	sqlserver.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 4136	1952	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe	83
PID 1952 wrote to memory of 4136	1952	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe	83
PID 1952 wrote to memory of 4136	1952	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe	83
PID 4136 wrote to memory of 3776	4136	serverr.exe	85
PID 4136 wrote to memory of 3776	4136	serverr.exe	85
PID 4136 wrote to memory of 3776	4136	serverr.exe	85
PID 3776 wrote to memory of 4176	3776	sqlserver.exe	89
PID 3776 wrote to memory of 4176	3776	sqlserver.exe	89
PID 3776 wrote to memory of 4176	3776	sqlserver.exe	89
PID 3776 wrote to memory of 4412	3776	sqlserver.exe	86
PID 3776 wrote to memory of 4412	3776	sqlserver.exe	86
PID 3776 wrote to memory of 4412	3776	sqlserver.exe	86

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	serverr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sqlserver.exe

C:\Users\Admin\AppData\Local\Temp\e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
"C:\Users\Admin\AppData\Local\Temp\e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\serverr.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\serverr.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4136
- - C:\Program Files (x86)\sqlserver.exe
    "C:\Program Files (x86)\sqlserver.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3776
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\SysWOW64\wscript.exe" "wscript.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4412
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Program Files (x86)\sqlserver.exe" "sqlserver.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x460 0x3cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sqlserver.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
C:\Program Files (x86)\sqlserver.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\Serverr.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\serverr.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
memory/1952-132-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3776-143-0x0000000072820000-0x0000000072DD1000-memory.dmp

Filesize
5.7MB

Download
memory/3776-144-0x0000000072820000-0x0000000072DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4136-136-0x0000000072820000-0x0000000072DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4136-140-0x0000000072820000-0x0000000072DD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads