e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be

General

Target

e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe
Size

770KB
MD5

21f1d2b9639b80c219e619ab275a6bfe
SHA1

4d6b840e88bd57c2a71a89345813f264a1275182
SHA256

e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be
SHA512

f9e060cbe63cd33e2d855cebbc9e658ac0bcfc1c6fe0dcdaaabf2b6451a1e14f02ba8dc0874591fa1d4e0a198c73a83baa09010923f5cb05806a5dc9e347c180
SSDEEP

12288:BnJFYyExlpCG8H2Qk+IMZsZwSIdecX85+DQwdtCR5pyxXa8jnk64:9lOCZZsZwSIa+DQutCFyxXa8Q

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2096	rzr-ts3m.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2484-132-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/2484-138-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 5084	2484	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4872	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4872	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2484	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 5084	2484	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	76
PID 2484 wrote to memory of 5084	2484	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	76
PID 2484 wrote to memory of 5084	2484	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	76
PID 2484 wrote to memory of 5084	2484	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	76
PID 2484 wrote to memory of 5084	2484	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	76
PID 2484 wrote to memory of 5084	2484	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	76
PID 2484 wrote to memory of 5084	2484	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	76
PID 2484 wrote to memory of 5084	2484	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	76
PID 2484 wrote to memory of 5084	2484	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	76
PID 5084 wrote to memory of 2096	5084	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	77
PID 5084 wrote to memory of 2096	5084	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	77
PID 5084 wrote to memory of 2096	5084	e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe	77

C:\Users\Admin\AppData\Local\Temp\e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe
"C:\Users\Admin\AppData\Local\Temp\e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe
  C:\Users\Admin\AppData\Local\Temp\e1d84fdf4bf416bec06790cdeedc991f3160a189c6612621a986214e7ce3a0be.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\rzr-ts3m.exe
    "C:\Users\Admin\AppData\Local\Temp\rzr-ts3m.exe"
    3⤵
    - Executes dropped EXE
    PID:2096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rzr-ts3m.exe

Filesize
346KB

MD5
69568ff0cd6a1bdcfede563ee952978e

SHA1
a720d5f5f72aab346fc04e7324310b830ece20b9

SHA256
be222fce2da73b6cc0443f2b8ddd1d15f310c0070a5dab274e4fc4da3e2a14ea

SHA512
0a7afa0ebcbae91ff0a49b8d0bb4a66003da8227884ce490a9c4c65a5b003fe1d01e237c640d20880eb1cb04b5011afb7e66db28971069d7eac30d46ad6480c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzr-ts3m.exe

Filesize
346KB

MD5
69568ff0cd6a1bdcfede563ee952978e

SHA1
a720d5f5f72aab346fc04e7324310b830ece20b9

SHA256
be222fce2da73b6cc0443f2b8ddd1d15f310c0070a5dab274e4fc4da3e2a14ea

SHA512
0a7afa0ebcbae91ff0a49b8d0bb4a66003da8227884ce490a9c4c65a5b003fe1d01e237c640d20880eb1cb04b5011afb7e66db28971069d7eac30d46ad6480c8

Download Submit
memory/2096-144-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2096-146-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2484-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2484-138-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5084-136-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5084-139-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5084-140-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5084-145-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing