8366370bc62a01011489f6069a81f8fb72e0b38a361bf7d688df4d1a969f396d

General

Target

8366370bc62a01011489f6069a81f8fb72e0b38a361bf7d688df4d1a969f396d.exe
Size

1.5MB
MD5

787b9c8d7cb27e9e8760de7952db9457
SHA1

dce41739eece4589a298557c8ad76666e2a55a3e
SHA256

8366370bc62a01011489f6069a81f8fb72e0b38a361bf7d688df4d1a969f396d
SHA512

abcb853ac681d3fc139e7458da5b99055922eb2d84a5de6416b04aa3dd8375e38164fdd924b7fe0c5e0af04edef800f710ad241b7e83473316d6d2df7af0c741
SSDEEP

49152:3e7/I4a3ULKENZXQrqrpW5YvVgNv4Tov2PQ9eOwJG:K/ja3UuKerQp9NM4TKTwc

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4492	2546.exe
4452	5894.exe
748	5894.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0001000000022e19-136.dat	upx
behavioral2/files/0x0001000000022e19-137.dat	upx
behavioral2/memory/4452-138-0x0000000000400000-0x00000000004F8000-memory.dmp	upx
behavioral2/files/0x0001000000022e19-145.dat	upx
behavioral2/memory/4452-147-0x0000000000400000-0x00000000004F8000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
748	5894.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4452 set thread context of 748	4452	5894.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3112	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
748	5894.exe
748	5894.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 4492	3916	8366370bc62a01011489f6069a81f8fb72e0b38a361bf7d688df4d1a969f396d.exe	82
PID 3916 wrote to memory of 4492	3916	8366370bc62a01011489f6069a81f8fb72e0b38a361bf7d688df4d1a969f396d.exe	82
PID 3916 wrote to memory of 4492	3916	8366370bc62a01011489f6069a81f8fb72e0b38a361bf7d688df4d1a969f396d.exe	82
PID 3916 wrote to memory of 4452	3916	8366370bc62a01011489f6069a81f8fb72e0b38a361bf7d688df4d1a969f396d.exe	83
PID 3916 wrote to memory of 4452	3916	8366370bc62a01011489f6069a81f8fb72e0b38a361bf7d688df4d1a969f396d.exe	83
PID 3916 wrote to memory of 4452	3916	8366370bc62a01011489f6069a81f8fb72e0b38a361bf7d688df4d1a969f396d.exe	83
PID 4452 wrote to memory of 748	4452	5894.exe	84
PID 4452 wrote to memory of 748	4452	5894.exe	84
PID 4452 wrote to memory of 748	4452	5894.exe	84
PID 4452 wrote to memory of 748	4452	5894.exe	84
PID 4452 wrote to memory of 748	4452	5894.exe	84
PID 4452 wrote to memory of 748	4452	5894.exe	84
PID 4452 wrote to memory of 748	4452	5894.exe	84
PID 4452 wrote to memory of 748	4452	5894.exe	84
PID 4452 wrote to memory of 748	4452	5894.exe	84

C:\Users\Admin\AppData\Local\Temp\8366370bc62a01011489f6069a81f8fb72e0b38a361bf7d688df4d1a969f396d.exe
"C:\Users\Admin\AppData\Local\Temp\8366370bc62a01011489f6069a81f8fb72e0b38a361bf7d688df4d1a969f396d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\2546.exe
  C:\Users\Admin\AppData\Local\Temp\2546.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Users\Admin\AppData\Local\Temp\5894.exe
  C:\Users\Admin\AppData\Local\Temp\5894.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\5894.exe
    C:\Users\Admin\AppData\Local\Temp\5894.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2546.exe

Filesize
1.2MB

MD5
da81c93417114980c0d346940c0e5024

SHA1
0397e11706bf1ec1a03cbcdece59fd0f09976a26

SHA256
4293bb5597d1c296b1ddc0e19fc2baa699b63c67bfd4774fa1fe83a462073260

SHA512
ea6432d571dce4e86880ad29524dc633fcea46f9317afcebcc1a0211e9cab39124dea081c6edc53b77da8d5d5f5b1042406d8c64b1379af44c9eb7e2c354e2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2546.exe

Filesize
1.2MB

MD5
da81c93417114980c0d346940c0e5024

SHA1
0397e11706bf1ec1a03cbcdece59fd0f09976a26

SHA256
4293bb5597d1c296b1ddc0e19fc2baa699b63c67bfd4774fa1fe83a462073260

SHA512
ea6432d571dce4e86880ad29524dc633fcea46f9317afcebcc1a0211e9cab39124dea081c6edc53b77da8d5d5f5b1042406d8c64b1379af44c9eb7e2c354e2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5894.exe

Filesize
724KB

MD5
6afe6a0e530269192424dee4e0598ca3

SHA1
e9cf16dc11cbfc2b28919088d7e07947c274e6c2

SHA256
623d041556c6883b56c7e22a38e30a55b04cb6cef194c0e4eb6e2dac1106e711

SHA512
5da7da542479c5141fc97d0b7f2bc553e9cb50d9f5c8f8884247d58d61bf52eb74d5f095b4f13c0afa6cbc20c6a97fbdd1977e3af26ed105384e3fc17d6910dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5894.exe

Filesize
724KB

MD5
6afe6a0e530269192424dee4e0598ca3

SHA1
e9cf16dc11cbfc2b28919088d7e07947c274e6c2

SHA256
623d041556c6883b56c7e22a38e30a55b04cb6cef194c0e4eb6e2dac1106e711

SHA512
5da7da542479c5141fc97d0b7f2bc553e9cb50d9f5c8f8884247d58d61bf52eb74d5f095b4f13c0afa6cbc20c6a97fbdd1977e3af26ed105384e3fc17d6910dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5894.exe

Filesize
724KB

MD5
6afe6a0e530269192424dee4e0598ca3

SHA1
e9cf16dc11cbfc2b28919088d7e07947c274e6c2

SHA256
623d041556c6883b56c7e22a38e30a55b04cb6cef194c0e4eb6e2dac1106e711

SHA512
5da7da542479c5141fc97d0b7f2bc553e9cb50d9f5c8f8884247d58d61bf52eb74d5f095b4f13c0afa6cbc20c6a97fbdd1977e3af26ed105384e3fc17d6910dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmF1E6.tmp

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
memory/748-142-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/748-140-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/748-141-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/748-152-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/748-143-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/748-151-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/748-146-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4452-148-0x0000000000650000-0x00000000006C3000-memory.dmp

Filesize
460KB

Download
memory/4452-149-0x0000000000B70000-0x0000000000B75000-memory.dmp

Filesize
20KB

Download
memory/4452-147-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4452-138-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download

Analysis

Sharing