8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7

General

Target

8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe
Size

318KB
MD5

61f84d66a5a17e167e13a201330e59ee
SHA1

0b926845df78fdf81b4b8374d92a317862f41f3d
SHA256

8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7
SHA512

d13aa2cd5ae16fdf260f8c5df14696ef20369fada5f95c73e49b92d245207da3b649b534f8d5358bd08c7aa282df4bb7fae00994ddc51af64ad654e66b9d9183
SSDEEP

6144:P5BogeiM5RyVZts3UfNKUqeMiZRKNgMLcbxKkajReYYl1rdVvxf6sh/////P:RzimeUljqvsRKNgDKk6RPYl1TvxZh//X

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3496	EA_Keygen.exe
3964	zero.exe
1860	win87.exe
3816	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	win87.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runAPI69 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI46.exe\""	zero.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	win87.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	win87.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zero.exe	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3964 set thread context of 1860	3964	zero.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	win87.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4920	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4920	AUDIODG.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 3496	5024	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	82
PID 5024 wrote to memory of 3496	5024	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	82
PID 5024 wrote to memory of 3496	5024	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	82
PID 5024 wrote to memory of 3964	5024	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	83
PID 5024 wrote to memory of 3964	5024	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	83
PID 5024 wrote to memory of 3964	5024	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	83
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 3964 wrote to memory of 1860	3964	zero.exe	85
PID 1860 wrote to memory of 3816	1860	win87.exe	86
PID 1860 wrote to memory of 3816	1860	win87.exe	86
PID 1860 wrote to memory of 3816	1860	win87.exe	86

C:\Users\Admin\AppData\Local\Temp\8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe
"C:\Users\Admin\AppData\Local\Temp\8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\EA_Keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\EA_Keygen.exe"
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\SysWOW64\zero.exe
  "C:\Windows\system32\zero.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\win87.exe
    C:\Users\Admin\AppData\Local\Temp\win87.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:3816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e4 0x460
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EA_Keygen.exe

Filesize
97KB

MD5
09bbea6a5f8ee12cbd3647ee74e2914a

SHA1
e6286aca0a7dbbdb507a66d55c19074049a1c197

SHA256
79afb5254ab3697e970cf6cdbd19e50993b593f4da60ff4fac5cc859ed4c2a69

SHA512
ca705ab0d8a01c23d4033acdd5125540b5a483a222bb2d6234b7becbfeb5630b9115c4307abbc1f6bae53fc63173ff50e3a6db30b147de3ae87a1e6372c3cbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA_Keygen.exe

Filesize
97KB

MD5
09bbea6a5f8ee12cbd3647ee74e2914a

SHA1
e6286aca0a7dbbdb507a66d55c19074049a1c197

SHA256
79afb5254ab3697e970cf6cdbd19e50993b593f4da60ff4fac5cc859ed4c2a69

SHA512
ca705ab0d8a01c23d4033acdd5125540b5a483a222bb2d6234b7becbfeb5630b9115c4307abbc1f6bae53fc63173ff50e3a6db30b147de3ae87a1e6372c3cbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\win87.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\win87.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
C:\Windows\SysWOW64\zero.exe

Filesize
212KB

MD5
c377c795f14dd65ca919fc1108f45197

SHA1
fe1efbc85d7acbf9ce78baeaa7fed29c31ba6409

SHA256
f4a14fce3586992a80501155dbc57d6857cd82d5c33248168c6f8f9a5a084dd9

SHA512
276ab732c31f2f87c7b4cf3505878203a99d0b2e20534b9b5d78a281266f67c597b405a01b4be18600b77e37abb0059b345bb500b1afddea0ebb35c37b3b155c

Download Submit
C:\Windows\SysWOW64\zero.exe

Filesize
212KB

MD5
c377c795f14dd65ca919fc1108f45197

SHA1
fe1efbc85d7acbf9ce78baeaa7fed29c31ba6409

SHA256
f4a14fce3586992a80501155dbc57d6857cd82d5c33248168c6f8f9a5a084dd9

SHA512
276ab732c31f2f87c7b4cf3505878203a99d0b2e20534b9b5d78a281266f67c597b405a01b4be18600b77e37abb0059b345bb500b1afddea0ebb35c37b3b155c

Download Submit
memory/1860-141-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1860-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1860-145-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1860-146-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3496-139-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3496-137-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3496-151-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3964-147-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing