9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1

General

Target

9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
Size

324KB
MD5

37f612fda2c0fd1f1f5a63e91aebbb2d
SHA1

6d00de148a63f1dde8988c2cd0e9562f00d30304
SHA256

9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1
SHA512

27a7acc4bb9f7d4f142ce75945f91676c0f8fb2d342818f2ed3fdd280b50feb09bd5df15a0ef5946f249f8ae8c8de868f8167b3e0e77f83bd4942c6c2086a92f
SSDEEP

6144:cQoFKbHYm+SA9tBB5GBcRudjttS+jiNhF2sGdYJf4cWjZmK:DUms9x5GEOjtQ+jacsG9

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1220	vjv.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
1220	vjv.exe

Loads dropped DLL 2 IoCs

pid	Process
888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2044	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: 33	1384	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1384	AUDIODG.EXE
Token: 33	1384	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1384	AUDIODG.EXE
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 1220	888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe	27
PID 888 wrote to memory of 1220	888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe	27
PID 888 wrote to memory of 1220	888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe	27
PID 888 wrote to memory of 1220	888	9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe	27

C:\Users\Admin\AppData\Local\Temp\9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
"C:\Users\Admin\AppData\Local\Temp\9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\vjv.exe
  "C:\Users\Admin\AppData\Local\vjv.exe" -gav C:\Users\Admin\AppData\Local\Temp\9814044142eb590ace2658a202394d5dfdf63940913b373e7985e16836dd19d1.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  PID:1220

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\vjv.exe

Filesize
324KB

MD5
e3cb0dff8db02e6f748edc6b2afc6281

SHA1
793e852ed6f46f78f9f736501eb837b6556764c5

SHA256
ca7a618a2e0df4e370dbda441e1c6aebe92011eb3d0e3f62e008ca4ad485263f

SHA512
d9d9ceccf869ea17793c0ec538b353335676210d28ebe60a67da5c3512e87abda223558dbaaee8874f130f281b20a2984b5f62ff9641b8f3dc6e21112448485c

Download Submit
\Users\Admin\AppData\Local\vjv.exe

Filesize
324KB

MD5
e3cb0dff8db02e6f748edc6b2afc6281

SHA1
793e852ed6f46f78f9f736501eb837b6556764c5

SHA256
ca7a618a2e0df4e370dbda441e1c6aebe92011eb3d0e3f62e008ca4ad485263f

SHA512
d9d9ceccf869ea17793c0ec538b353335676210d28ebe60a67da5c3512e87abda223558dbaaee8874f130f281b20a2984b5f62ff9641b8f3dc6e21112448485c

Download Submit
\Users\Admin\AppData\Local\vjv.exe

Filesize
324KB

MD5
e3cb0dff8db02e6f748edc6b2afc6281

SHA1
793e852ed6f46f78f9f736501eb837b6556764c5

SHA256
ca7a618a2e0df4e370dbda441e1c6aebe92011eb3d0e3f62e008ca4ad485263f

SHA512
d9d9ceccf869ea17793c0ec538b353335676210d28ebe60a67da5c3512e87abda223558dbaaee8874f130f281b20a2984b5f62ff9641b8f3dc6e21112448485c

Download Submit
memory/888-69-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/888-55-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/888-56-0x0000000000401000-0x000000000045B000-memory.dmp

Filesize
360KB

Download
memory/888-57-0x0000000001CC0000-0x00000000020CE000-memory.dmp

Filesize
4.1MB

Download
memory/888-58-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/888-59-0x0000000001CC0000-0x0000000001DDD000-memory.dmp

Filesize
1.1MB

Download
memory/888-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/888-72-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1220-67-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1220-70-0x0000000001CF0000-0x00000000020FE000-memory.dmp

Filesize
4.1MB

Download
memory/1220-71-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1220-65-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2044-68-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing