99d717341e0c7d4886e72d7c3835aa4b50fd3174b8d7e56eb89aef73867c2f3f

Analysis

max time kernel
186s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 00:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

99d717341e0c7d4886e72d7c3835aa4b50fd3174b8d7e56eb89aef73867c2f3f.exe
Size

888KB
MD5

b6831619b1da8c2ce4e016406b814259
SHA1

e5388ba8b8ad5d1ae6add08978ede34151bfe6d3
SHA256

99d717341e0c7d4886e72d7c3835aa4b50fd3174b8d7e56eb89aef73867c2f3f
SHA512

901f70925f6cc6d4eec97e1ba8078854de2f5a6a0e60744b07bf5754db5a7bc9a0786ca5f71f20bd7a4ab21ded9bea199b4e0ad6fbaff1a3ea5b88bf7d921193
SSDEEP

12288:bWkiy3+Fetw+HpINocmDoiYD04KupS7XHk+lb6Qsh4tGw5tiLS4tNEv8zaKoqVy:bWkc+lcmDnImXzkQsh4B5cm435y

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4300	rinst.exe
1376	taxi2.exe
5020	mailPlayer.exe
4988	aqib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	99d717341e0c7d4886e72d7c3835aa4b50fd3174b8d7e56eb89aef73867c2f3f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rinst.exe

Loads dropped DLL 3 IoCs

pid	Process
4988	aqib.exe
5020	mailPlayer.exe
1900	99d717341e0c7d4886e72d7c3835aa4b50fd3174b8d7e56eb89aef73867c2f3f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	aqib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aqib = "C:\\Windows\\SysWOW64\\aqib.exe"	aqib.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aqib.exe	rinst.exe
File created	C:\Windows\SysWOW64\aqibhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	aqib.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4300	rinst.exe
4300	rinst.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1812	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4988	aqib.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe
4988	aqib.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 4300	1900	99d717341e0c7d4886e72d7c3835aa4b50fd3174b8d7e56eb89aef73867c2f3f.exe	80
PID 1900 wrote to memory of 4300	1900	99d717341e0c7d4886e72d7c3835aa4b50fd3174b8d7e56eb89aef73867c2f3f.exe	80
PID 1900 wrote to memory of 4300	1900	99d717341e0c7d4886e72d7c3835aa4b50fd3174b8d7e56eb89aef73867c2f3f.exe	80
PID 4300 wrote to memory of 1376	4300	rinst.exe	81
PID 4300 wrote to memory of 1376	4300	rinst.exe	81
PID 4300 wrote to memory of 1376	4300	rinst.exe	81
PID 1376 wrote to memory of 5020	1376	taxi2.exe	82
PID 1376 wrote to memory of 5020	1376	taxi2.exe	82
PID 1376 wrote to memory of 5020	1376	taxi2.exe	82
PID 4300 wrote to memory of 4988	4300	rinst.exe	83
PID 4300 wrote to memory of 4988	4300	rinst.exe	83
PID 4300 wrote to memory of 4988	4300	rinst.exe	83

C:\Users\Admin\AppData\Local\Temp\99d717341e0c7d4886e72d7c3835aa4b50fd3174b8d7e56eb89aef73867c2f3f.exe
"C:\Users\Admin\AppData\Local\Temp\99d717341e0c7d4886e72d7c3835aa4b50fd3174b8d7e56eb89aef73867c2f3f.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taxi2.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\taxi2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\mailPlayer.exe
      "C:\Users\Admin\AppData\Local\Temp\mailPlayer.exe" "/a" "taxi.tjm" "taxi.tps"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5020
- - C:\Windows\SysWOW64\aqib.exe
    C:\Windows\system32\aqib.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\aqib.exe

Filesize
488KB

MD5
98597dfab47f0c4e211c8acdd150bc46

SHA1
73dcb964b2af3258459f89f2c67f586042c7918d

SHA256
e2e6b5466546c74b8340e95392ce1f23629be328188e0384c3be306d83b43351

SHA512
9a66a231be13a4c11aee5d014bf94b8fda2e6eb3ea9d49cd30b4be2207aee14a325fbd3fa4c63ba9c5c0e6286ea5332908d4c6d8325e6bc9e3fad21e1323157f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\aqibhk.dll

Filesize
19KB

MD5
5ad6364aeb26c4bd95373e8765457ef1

SHA1
5817501996b7cecb81e4cd2e52de7941c33c5ccb

SHA256
a6bb9364306018674306a335060827847abd6fcffb1d5e83184a07e48b854d66

SHA512
b3212d67fa7eb1e09ad7d62cc1430c62fce30a65e1712eb9a2228510b8906770796217b3c6d17edf9a1085ebd25acc8c9d9820a93333dec6f1b46917e9ee39ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
700B

MD5
0bf8d28302dfccef66b66d54946ad3ca

SHA1
61bd1ddef3c16692ae5955a4de51f5e78690301b

SHA256
3e58a016acaee6b47c805cdbdab5e59d652008c03e95cfd6b3efda1d4b31c8e3

SHA512
3181ac5ee97c302e9640721e3fcb3e53fd9dea0a4a63e8435ecc78cbedf54efde407868a3dcda810b1cfa8dd1637c58f0cab8caf60e090fad845844bd6528630

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
3KB

MD5
4ea5ece17a65af5fbcf575d21338a08c

SHA1
5d93279d3bd6238fac1787681424dda717bdd60d

SHA256
07cd201fc6ccf79cfd3c1dbc6ff8e3c53914c4318d61f6c431754da41d7b1d98

SHA512
4ded3b084fd3f72e2dabe555e36e1b15c8d3278db931ead9deadd787bc4763efdcd679737f952b8cb293d6436ea0cfe159f1957f5310a8ffd5f1fd65db1bab46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
19KB

MD5
f3d0beef15eb987dbcec8e803bf6c89d

SHA1
978b8def3e38e1be25d5083cfaf3f904c6a25265

SHA256
aa9972cd81a4fddd6dc77c139d2c5061604e3eb7ae2acac6fe680d0692d3bf37

SHA512
d08d6b7ff49e724dd59f8a7a4b18ba7e89bc0acf348f75b15348cd70d60184bfe015d0103b621aefa56fddc74f18660e87522ed16059a25205d8525d02bb7cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
19KB

MD5
f3d0beef15eb987dbcec8e803bf6c89d

SHA1
978b8def3e38e1be25d5083cfaf3f904c6a25265

SHA256
aa9972cd81a4fddd6dc77c139d2c5061604e3eb7ae2acac6fe680d0692d3bf37

SHA512
d08d6b7ff49e724dd59f8a7a4b18ba7e89bc0acf348f75b15348cd70d60184bfe015d0103b621aefa56fddc74f18660e87522ed16059a25205d8525d02bb7cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taxi2.exe

Filesize
631KB

MD5
d563b91dfb8ec2c319cad59046af5b12

SHA1
dae54d0aa3cc24701e0b725fff1385d56c4c7f5e

SHA256
8de28bc8aecb66871302a0c927be72f34f15d47af129b39e9ba71d781eb1c79f

SHA512
2cbc57e624a23b02d5a6b630fb120ac148707b0643beb0134b3fc020b15a2f38f3b55d9845b8665163b3290bb89ad7df0e7ebf1d22af7ceb79a711bbff4a517c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taxi2.exe

Filesize
631KB

MD5
d563b91dfb8ec2c319cad59046af5b12

SHA1
dae54d0aa3cc24701e0b725fff1385d56c4c7f5e

SHA256
8de28bc8aecb66871302a0c927be72f34f15d47af129b39e9ba71d781eb1c79f

SHA512
2cbc57e624a23b02d5a6b630fb120ac148707b0643beb0134b3fc020b15a2f38f3b55d9845b8665163b3290bb89ad7df0e7ebf1d22af7ceb79a711bbff4a517c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mailPlayer.exe

Filesize
784KB

MD5
14b30b9a05e23c1605135ab378f2a2c7

SHA1
0a9829e0dbe4443e0bb6296e4aeb8a8e39c830c7

SHA256
b3222047d1e0ade0b398566b8ebe90f7451e600fe30d2eb6dab307dc881b785e

SHA512
597c0cdb79c1fb63e6f50ffd9f04017d059c87d667ef0c81184d3d015e5c74a8cd98bc22904ee53224f2d08af5c5fb4ec3f0e156700283310055936057983650

Download Submit
C:\Users\Admin\AppData\Local\Temp\mailPlayer.exe

Filesize
784KB

MD5
14b30b9a05e23c1605135ab378f2a2c7

SHA1
0a9829e0dbe4443e0bb6296e4aeb8a8e39c830c7

SHA256
b3222047d1e0ade0b398566b8ebe90f7451e600fe30d2eb6dab307dc881b785e

SHA512
597c0cdb79c1fb63e6f50ffd9f04017d059c87d667ef0c81184d3d015e5c74a8cd98bc22904ee53224f2d08af5c5fb4ec3f0e156700283310055936057983650

Download Submit
C:\Users\Admin\AppData\Local\Temp\taxi.TJM

Filesize
18KB

MD5
724ee3ac3814d8623e78012b671d2031

SHA1
f33943ee3639d3eeb44dd625d994dcfac3ee0592

SHA256
dd2d2c0b34e6d6628ca5a19b9386913a7822fe8117695ff5e4703e7ee94e5639

SHA512
c30a2236d1f3bd521b3e829fe74eb6d344acf8e4e37fb65f130394eb57fe93976b1da797ecfa683b2a78d12c85dff5d11810a05d2a8246b85c7a9e94181e60fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\taxi.TPS

Filesize
377KB

MD5
addb2309492c136ca484876086ed6dbc

SHA1
70556a59c943b178f58a0af28bebfd7b7cf72caa

SHA256
334fe60a1cc7b99f8248911ed1060badb730b6e782e121b09a4117e7e87b588e

SHA512
03285c3d5771ac3c5d09d05b1ed138d328fb08c9ad4a4368e6bc757623909867b713bc63a8c3a2b38dd43fd813830fbb5ef70fe9ce92e6084bb9d99d9101cab8

Download Submit
C:\Windows\SysWOW64\aqib.exe

Filesize
488KB

MD5
c5b9e8f7d1a7b421960e46cfd52ec29b

SHA1
c2dbf375d0e9fed28158decad1bd4ed567f22854

SHA256
0f8288100d4bf76e15ce685281c735f3bde08ffbcbec03f4e2b31345beb1fc9e

SHA512
de9424c74e75425e8ec3cdb419973fedbba6ecf3a9d1897ab0871eafd1b72ca2762359b41eff608eaf54267a879347f482c2222479bf844864f6901fe1b15ab8

Download Submit
C:\Windows\SysWOW64\aqib.exe

Filesize
488KB

MD5
c5b9e8f7d1a7b421960e46cfd52ec29b

SHA1
c2dbf375d0e9fed28158decad1bd4ed567f22854

SHA256
0f8288100d4bf76e15ce685281c735f3bde08ffbcbec03f4e2b31345beb1fc9e

SHA512
de9424c74e75425e8ec3cdb419973fedbba6ecf3a9d1897ab0871eafd1b72ca2762359b41eff608eaf54267a879347f482c2222479bf844864f6901fe1b15ab8

Download Submit
C:\Windows\SysWOW64\aqibhk.dll

Filesize
19KB

MD5
5e6048d3199fb6c8185ff32e9ff496f7

SHA1
1eef853446d04381162cff51d36719791f3eda95

SHA256
f3e0dded2544c588aeb1a4ea87c237bd11cb290beb05a35bb2aec4f43e248efc

SHA512
5aa478b2ff3016d1fe709e32fcd987d5f399fbea8f1bb96f0cc456767549c6629cd57d2a146d17514a1be71af56460c19511d1e3a95b8636f2b0b4ecd4b10149

Download Submit
C:\Windows\SysWOW64\aqibhk.dll

Filesize
19KB

MD5
5e6048d3199fb6c8185ff32e9ff496f7

SHA1
1eef853446d04381162cff51d36719791f3eda95

SHA256
f3e0dded2544c588aeb1a4ea87c237bd11cb290beb05a35bb2aec4f43e248efc

SHA512
5aa478b2ff3016d1fe709e32fcd987d5f399fbea8f1bb96f0cc456767549c6629cd57d2a146d17514a1be71af56460c19511d1e3a95b8636f2b0b4ecd4b10149

Download Submit
C:\Windows\SysWOW64\aqibhk.dll

Filesize
19KB

MD5
5e6048d3199fb6c8185ff32e9ff496f7

SHA1
1eef853446d04381162cff51d36719791f3eda95

SHA256
f3e0dded2544c588aeb1a4ea87c237bd11cb290beb05a35bb2aec4f43e248efc

SHA512
5aa478b2ff3016d1fe709e32fcd987d5f399fbea8f1bb96f0cc456767549c6629cd57d2a146d17514a1be71af56460c19511d1e3a95b8636f2b0b4ecd4b10149

Download Submit
C:\Windows\SysWOW64\aqibhk.dll

Filesize
19KB

MD5
5e6048d3199fb6c8185ff32e9ff496f7

SHA1
1eef853446d04381162cff51d36719791f3eda95

SHA256
f3e0dded2544c588aeb1a4ea87c237bd11cb290beb05a35bb2aec4f43e248efc

SHA512
5aa478b2ff3016d1fe709e32fcd987d5f399fbea8f1bb96f0cc456767549c6629cd57d2a146d17514a1be71af56460c19511d1e3a95b8636f2b0b4ecd4b10149

Download Submit
C:\Windows\SysWOW64\inst.dat

Filesize
700B

MD5
0bf8d28302dfccef66b66d54946ad3ca

SHA1
61bd1ddef3c16692ae5955a4de51f5e78690301b

SHA256
3e58a016acaee6b47c805cdbdab5e59d652008c03e95cfd6b3efda1d4b31c8e3

SHA512
3181ac5ee97c302e9640721e3fcb3e53fd9dea0a4a63e8435ecc78cbedf54efde407868a3dcda810b1cfa8dd1637c58f0cab8caf60e090fad845844bd6528630

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
3KB

MD5
f92976350fdd6c5066a3efe6f3d6e106

SHA1
e57a3640d2944f37faf34a23a77764da801a3817

SHA256
5f586149fef9b86ef876dfccc669898a7c0b773643e21f7f4d852a52eaf7649e

SHA512
281966cbc700de392be92184cb54a64320edac48bebe5d73fd49a8edd8b91a346e5a9f41b82fbb512c4e5b739df70f568c9fea01963fa38268cf7f35996ff684

Download Submit
C:\Windows\SysWOW64\rinst.exe

Filesize
19KB

MD5
f3d0beef15eb987dbcec8e803bf6c89d

SHA1
978b8def3e38e1be25d5083cfaf3f904c6a25265

SHA256
aa9972cd81a4fddd6dc77c139d2c5061604e3eb7ae2acac6fe680d0692d3bf37

SHA512
d08d6b7ff49e724dd59f8a7a4b18ba7e89bc0acf348f75b15348cd70d60184bfe015d0103b621aefa56fddc74f18660e87522ed16059a25205d8525d02bb7cfa

Download Submit