ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f

General

Target

ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe
Size

265KB
MD5

03ca25b793c4a0c92b5767be79df0361
SHA1

91b60c7b113103c64bd96ba7de36e604e5c8bda1
SHA256

ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f
SHA512

61c37869e3ab54ab1a91c7cf244c5fd228cd5b730ddb025935f09ef6861533bc464d6734ada66de2d2b7a8a51275105ecb504f833c39a343450f0407fa50cd4f
SSDEEP

6144:yFa0E5WpV/F7YSkqy79bqWMNsy69IKXSh:yF+Wn7ZI9OWMNH

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1936	ujd.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
1936	ujd.exe

Loads dropped DLL 2 IoCs

pid	Process
900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe
900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe
900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe
900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe
900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe
900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe
900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe
900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe
900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1960	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1960	explorer.exe
Token: SeShutdownPrivilege	1960	explorer.exe
Token: SeShutdownPrivilege	1960	explorer.exe
Token: SeShutdownPrivilege	1960	explorer.exe
Token: SeShutdownPrivilege	1960	explorer.exe
Token: SeShutdownPrivilege	1960	explorer.exe
Token: SeShutdownPrivilege	1960	explorer.exe
Token: SeShutdownPrivilege	1960	explorer.exe
Token: SeShutdownPrivilege	1960	explorer.exe
Token: SeShutdownPrivilege	1960	explorer.exe
Token: 33	1548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1548	AUDIODG.EXE
Token: 33	1548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1548	AUDIODG.EXE
Token: SeShutdownPrivilege	1960	explorer.exe
Token: SeShutdownPrivilege	1960	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1936	900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe	27
PID 900 wrote to memory of 1936	900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe	27
PID 900 wrote to memory of 1936	900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe	27
PID 900 wrote to memory of 1936	900	ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe	27

C:\Users\Admin\AppData\Local\Temp\ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe
"C:\Users\Admin\AppData\Local\Temp\ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\ujd.exe
  "C:\Users\Admin\AppData\Local\ujd.exe" -gav C:\Users\Admin\AppData\Local\Temp\ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  PID:1936

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ujd.exe

Filesize
265KB

MD5
03ca25b793c4a0c92b5767be79df0361

SHA1
91b60c7b113103c64bd96ba7de36e604e5c8bda1

SHA256
ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f

SHA512
61c37869e3ab54ab1a91c7cf244c5fd228cd5b730ddb025935f09ef6861533bc464d6734ada66de2d2b7a8a51275105ecb504f833c39a343450f0407fa50cd4f

Download Submit
\Users\Admin\AppData\Local\ujd.exe

Filesize
265KB

MD5
03ca25b793c4a0c92b5767be79df0361

SHA1
91b60c7b113103c64bd96ba7de36e604e5c8bda1

SHA256
ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f

SHA512
61c37869e3ab54ab1a91c7cf244c5fd228cd5b730ddb025935f09ef6861533bc464d6734ada66de2d2b7a8a51275105ecb504f833c39a343450f0407fa50cd4f

Download Submit
\Users\Admin\AppData\Local\ujd.exe

Filesize
265KB

MD5
03ca25b793c4a0c92b5767be79df0361

SHA1
91b60c7b113103c64bd96ba7de36e604e5c8bda1

SHA256
ca6c131b3f4bf46a2a91dae88ec7a41050b3d72830a9dc050c5cada638514f0f

SHA512
61c37869e3ab54ab1a91c7cf244c5fd228cd5b730ddb025935f09ef6861533bc464d6734ada66de2d2b7a8a51275105ecb504f833c39a343450f0407fa50cd4f

Download Submit
memory/900-59-0x00000000004E0000-0x00000000005FD000-memory.dmp

Filesize
1.1MB

Download
memory/900-58-0x0000000000400000-0x0000000000461F20-memory.dmp

Filesize
391KB

Download
memory/900-56-0x0000000000401000-0x000000000045B000-memory.dmp

Filesize
360KB

Download
memory/900-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/900-57-0x0000000001D90000-0x000000000219E000-memory.dmp

Filesize
4.1MB

Download
memory/900-55-0x0000000000400000-0x0000000000461F20-memory.dmp

Filesize
391KB

Download
memory/900-65-0x0000000000400000-0x0000000000461F20-memory.dmp

Filesize
391KB

Download
memory/1936-69-0x0000000001ED0000-0x00000000022DE000-memory.dmp

Filesize
4.1MB

Download
memory/1936-70-0x0000000000400000-0x0000000000461F20-memory.dmp

Filesize
391KB

Download
memory/1960-68-0x000007FEFB131000-0x000007FEFB133000-memory.dmp

Filesize
8KB

Download
memory/1960-71-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing