Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 07:03
Static task
static1
Behavioral task
behavioral1
Sample
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
Resource
win7-20220812-en
General
-
Target
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
-
Size
341KB
-
MD5
a491c799d482368deccdf8d9c47ac62d
-
SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c
-
SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
-
SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc
-
SSDEEP
6144:pJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtHS:xDXXbQL31z7KFCoNrFGdOJa9f5eRS
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
audiodgi.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run audiodgi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe" audiodgi.exe -
Executes dropped EXE 5 IoCs
Processes:
svchost.exesvchost.exeaudiodgi.exewmpmetwk.exewmpmetwk.exepid process 1436 svchost.exe 1752 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 3352 wmpmetwk.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exesvchost.exeaudiodgi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation audiodgi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
audiodgi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe" audiodgi.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
svchost.exewmpmetwk.exedescription pid process target process PID 1436 set thread context of 1752 1436 svchost.exe svchost.exe PID 5024 set thread context of 3352 5024 wmpmetwk.exe wmpmetwk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4896 1752 WerFault.exe svchost.exe 4308 3352 WerFault.exe wmpmetwk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exeaudiodgi.exewmpmetwk.exepid process 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe 332 audiodgi.exe 5024 wmpmetwk.exe 1436 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exesvchost.exeaudiodgi.exewmpmetwk.exedescription pid process Token: SeDebugPrivilege 4344 f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe Token: SeDebugPrivilege 1436 svchost.exe Token: SeDebugPrivilege 332 audiodgi.exe Token: SeDebugPrivilege 5024 wmpmetwk.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exesvchost.exeaudiodgi.exewmpmetwk.exedescription pid process target process PID 4344 wrote to memory of 1436 4344 f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe svchost.exe PID 4344 wrote to memory of 1436 4344 f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe svchost.exe PID 4344 wrote to memory of 1436 4344 f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe svchost.exe PID 1436 wrote to memory of 1752 1436 svchost.exe svchost.exe PID 1436 wrote to memory of 1752 1436 svchost.exe svchost.exe PID 1436 wrote to memory of 1752 1436 svchost.exe svchost.exe PID 1436 wrote to memory of 1752 1436 svchost.exe svchost.exe PID 1436 wrote to memory of 332 1436 svchost.exe audiodgi.exe PID 1436 wrote to memory of 332 1436 svchost.exe audiodgi.exe PID 1436 wrote to memory of 332 1436 svchost.exe audiodgi.exe PID 332 wrote to memory of 5024 332 audiodgi.exe wmpmetwk.exe PID 332 wrote to memory of 5024 332 audiodgi.exe wmpmetwk.exe PID 332 wrote to memory of 5024 332 audiodgi.exe wmpmetwk.exe PID 5024 wrote to memory of 3352 5024 wmpmetwk.exe wmpmetwk.exe PID 5024 wrote to memory of 3352 5024 wmpmetwk.exe wmpmetwk.exe PID 5024 wrote to memory of 3352 5024 wmpmetwk.exe wmpmetwk.exe PID 5024 wrote to memory of 3352 5024 wmpmetwk.exe wmpmetwk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe"C:\Users\Admin\AppData\Local\Temp\f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 844⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exeC:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 806⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1752 -ip 17521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3352 -ip 33521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
105B
MD5fc25c3b01b648207bf8db948858fc547
SHA15b06754b8fe5e58d6b1362bdecddec4aa9409191
SHA256e532f4ede6191bf01838b4b4fe9d00eb251562a517e060d20f522af94ee561cf
SHA51295646c5a3d5744528475c4f3210d43200c6bb93971f9a38be270e40e34524241df543c6d9248a340dd0d1e28ba525fd49e5869a7ac4afa611b4af495f8c729e5
-
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exeFilesize
7KB
MD52e18e07194565987ef816f36c4a2134e
SHA15278b14dc0704abd700264bb9f8610caf5d007eb
SHA25644c927820ec11111ab620bfa75b71986b9e675770a782e3c740040d484e5dbd7
SHA5127160e14ec359e738e77afed6341890a8084605543e7deb8720457825ff013b907e7233cc890a8c63614b4d481bc73fb72cf15378d8f3534dfb9c8064fed6f930
-
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exeFilesize
7KB
MD52e18e07194565987ef816f36c4a2134e
SHA15278b14dc0704abd700264bb9f8610caf5d007eb
SHA25644c927820ec11111ab620bfa75b71986b9e675770a782e3c740040d484e5dbd7
SHA5127160e14ec359e738e77afed6341890a8084605543e7deb8720457825ff013b907e7233cc890a8c63614b4d481bc73fb72cf15378d8f3534dfb9c8064fed6f930
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exeFilesize
341KB
MD5a491c799d482368deccdf8d9c47ac62d
SHA129c23737756a17bb386cffe9404336f24d4a4c8c
SHA256f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
SHA512f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exeFilesize
341KB
MD5a491c799d482368deccdf8d9c47ac62d
SHA129c23737756a17bb386cffe9404336f24d4a4c8c
SHA256f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
SHA512f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exeFilesize
341KB
MD5a491c799d482368deccdf8d9c47ac62d
SHA129c23737756a17bb386cffe9404336f24d4a4c8c
SHA256f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
SHA512f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
341KB
MD5a491c799d482368deccdf8d9c47ac62d
SHA129c23737756a17bb386cffe9404336f24d4a4c8c
SHA256f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
SHA512f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
341KB
MD5a491c799d482368deccdf8d9c47ac62d
SHA129c23737756a17bb386cffe9404336f24d4a4c8c
SHA256f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
SHA512f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
341KB
MD5a491c799d482368deccdf8d9c47ac62d
SHA129c23737756a17bb386cffe9404336f24d4a4c8c
SHA256f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
SHA512f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc
-
memory/332-152-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/332-143-0x0000000000000000-mapping.dmp
-
memory/332-149-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/1436-133-0x0000000000000000-mapping.dmp
-
memory/1436-139-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/1436-151-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/1752-141-0x0000000000000000-mapping.dmp
-
memory/3352-147-0x0000000000000000-mapping.dmp
-
memory/4344-138-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/4344-132-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/5024-145-0x0000000000000000-mapping.dmp
-
memory/5024-150-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/5024-153-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB