e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427

General

Target

e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
Size

1.1MB
MD5

78ab95671fdd7dd9fd5f511a4bbfb9f8
SHA1

677aa1fa3ca19bbd1454906a06701ed7270d0dcc
SHA256

e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427
SHA512

1ebe31de8cc92b4d3f201fa042985dd243162ccbc49938ae541e552d8d318491a9142041eb3b8bc51d5e825ab39094e95b6ee58146e0b39aaab46485bd3ff57a
SSDEEP

24576:4KUPqFwkyC17SRkgH3D19KDAwnsvi846RvBlSZBvqT/9L1:7UPqFwkP1AkgHz/KD/nsvimJ5T/7

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3256-132-0x0000000000400000-0x000000000056F000-memory.dmp	upx
behavioral2/memory/3256-133-0x0000000000400000-0x000000000056F000-memory.dmp	upx
behavioral2/memory/3256-136-0x0000000000400000-0x000000000056F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\L:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\Q:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\U:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\A:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\B:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\E:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\F:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\W:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\Z:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\J:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\K:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\M:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\R:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\T:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\Y:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\G:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\H:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\N:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\P:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\O:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\S:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\V:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
File opened (read-only)	\??\X:	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A32D5CD4-76C1-11ED-AECB-4AA92575F981} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4056	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4056	vlc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
Token: 33	3872	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3872	AUDIODG.EXE
Token: 33	4056	vlc.exe
Token: SeIncBasePriorityPrivilege	4056	vlc.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe
4056	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3428	IEXPLORE.EXE
3428	IEXPLORE.EXE
4056	vlc.exe
4056	vlc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 4056	3256	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe	78
PID 3256 wrote to memory of 4056	3256	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe	78
PID 3256 wrote to memory of 3428	3256	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe	79
PID 3256 wrote to memory of 3428	3256	e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe	79
PID 3428 wrote to memory of 4984	3428	IEXPLORE.EXE	80
PID 3428 wrote to memory of 4984	3428	IEXPLORE.EXE	80
PID 3428 wrote to memory of 4984	3428	IEXPLORE.EXE	80

C:\Users\Admin\AppData\Local\Temp\e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe
"C:\Users\Admin\AppData\Local\Temp\e1fbdb964f35e70470cd9c0d83464303ab4e48bd5611dd8a9fb3c0bc2d62e427.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\cb120_toWMV_38.wmv"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4056
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.a88b88.com/--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------.asp?id=wii&md5=65d8e3b9b3facdcee8d9c707680abc33"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3428 CREDAT:17410 /prefetch:2
    3⤵
    PID:4984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cb120_toWMV_38.wmv

Filesize
378KB

MD5
81ee578130211d23562d6b46653dd72f

SHA1
fec58fd5e0baa01cf9796db9ef31c1072a897c6a

SHA256
31fd5e59d735ca324f03b1d4391cefcb3ae46d54df927535925aabdeb7138c43

SHA512
c002e51c8891a31997a56f58c23a6d5b98eafda90de64588af3a25c716640a4e1917dd202314cdb5c0f42dca240ff9d62c652a03fde54d2157a12bb72439e9f2

Download Submit
memory/3256-132-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3256-133-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3256-136-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4056-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads