Analysis
-
max time kernel
81s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2023 01:36
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20220812-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Extracted
aurora
45.9.74.11:8081
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation voiceadequovl.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation voiceadequovl.exe -
Executes dropped EXE 3 IoCs
pid Process 4888 voiceadequovl.exe 220 voiceadequovl.exe 3480 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 220 set thread context of 3480 220 voiceadequovl.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4296 powershell.exe 4296 powershell.exe 3412 powershell.exe 3412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 220 voiceadequovl.exe Token: SeDebugPrivilege 4296 powershell.exe Token: SeDebugPrivilege 3412 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 5052 wrote to memory of 4888 5052 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 83 PID 5052 wrote to memory of 4888 5052 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 83 PID 5052 wrote to memory of 4888 5052 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 83 PID 4888 wrote to memory of 220 4888 voiceadequovl.exe 87 PID 4888 wrote to memory of 220 4888 voiceadequovl.exe 87 PID 4888 wrote to memory of 220 4888 voiceadequovl.exe 87 PID 220 wrote to memory of 4296 220 voiceadequovl.exe 93 PID 220 wrote to memory of 4296 220 voiceadequovl.exe 93 PID 220 wrote to memory of 4296 220 voiceadequovl.exe 93 PID 220 wrote to memory of 3968 220 voiceadequovl.exe 95 PID 220 wrote to memory of 3968 220 voiceadequovl.exe 95 PID 220 wrote to memory of 3968 220 voiceadequovl.exe 95 PID 3968 wrote to memory of 3412 3968 cmd.exe 97 PID 3968 wrote to memory of 3412 3968 cmd.exe 97 PID 3968 wrote to memory of 3412 3968 cmd.exe 97 PID 220 wrote to memory of 3480 220 voiceadequovl.exe 98 PID 220 wrote to memory of 3480 220 voiceadequovl.exe 98 PID 220 wrote to memory of 3480 220 voiceadequovl.exe 98 PID 220 wrote to memory of 3480 220 voiceadequovl.exe 98 PID 220 wrote to memory of 3480 220 voiceadequovl.exe 98 PID 220 wrote to memory of 3480 220 voiceadequovl.exe 98 PID 220 wrote to memory of 3480 220 voiceadequovl.exe 98 PID 220 wrote to memory of 3480 220 voiceadequovl.exe 98 PID 220 wrote to memory of 3480 220 voiceadequovl.exe 98 PID 220 wrote to memory of 3480 220 voiceadequovl.exe 98 PID 220 wrote to memory of 3480 220 voiceadequovl.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵PID:2508
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:3004
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵PID:3056
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:2068
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:872
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD50c2562859bb1600a2816e905c219e9e6
SHA181888f8144141ed5571611aecb61eee4b38d3481
SHA2567fe500b22ecf0b757e0983eb6aa8855d9ef7d840caacf36717408d9a0890c72f
SHA512fd3f3e7bdecde389aff393422ffd86d897bfe9f06f5a4655db2b4510586e23f5bb3c88193c6ede4f9e6f4ff5d0a0df25be149f195a4013d3ae577d5e54443720
-
Filesize
299.3MB
MD5919c5d243baf084308e894524e1153d0
SHA1a3b09b14a72668ef18122a776c9ba30fd9c8456c
SHA256a7db87793ae9b2e4ed04ba63cabc796d75257f566d6d8440db0c01e900be2952
SHA512cbdcb64c2af35eda942ad2586af7a98e917c1ef23d54528bf0214641d960ee6254dfe92b20414037a5e0cea5211004fcb9b26452084e72047d3110f4191aff7a
-
Filesize
285.9MB
MD5610e94390d2a32dd027ea4bfe58969f5
SHA1966884a4d76078b18c0d8f184e0eb682620a2f31
SHA2561d3c61853ab9b682c1e4c1d2e205eb662f3da2e59bfef1c044f9f3593450035d
SHA512c049903f6ef81631d9c839e93b570816e6301c87dbcc8b45e31035976f663f7137b5cc805722c621782e1f6448ea3c596ec70362e49cf7bbbc9f475fdd1102c7
-
Filesize
275.9MB
MD5f03d76204f6021c458e8ce5a97c9e382
SHA100e95d2d4cf43003c95db68701c30190ac309764
SHA25672a2cebe30bc8625b43b859ed22a6423c972852e139d1a38903f0d303b5a41c3
SHA5123a6ca951dad09a75e770adc35ac6409a3b1117ea17986f52aa298cd900acc797dc01ea5a67da4e5b6916eeb2372b29b8efada727508d16eb22410c8e4b54f284
-
Filesize
274.8MB
MD54aeb131a8a8b42c133094df5399b673a
SHA18ccc80d49b26b5052f5de3e7318c212d05b43e17
SHA256006c2d5d6f21c1e8c5d96fd1d110a7ada6676fdd737fdfa1bf1b15d4d1b0873f
SHA512dbafebaed8c0c9cfb2f2a8b0c428f6e9676e7f3ae40fc23c9ad9160a7718ddb1c38605fa18aeec14cc9c2365c272848c6d20c1d14f54da24a7f5f524ed7f70e9
-
Filesize
125.1MB
MD5952b8f787b21860675eeb0019ac2bb64
SHA1ede2c578e60ed2d638b11f0ff7f7b57c880cc889
SHA256e82e9557193126bc61e61828952f25675893a456a089a310dcec044808cf6b36
SHA51259b757c80392d050a8188a1c40a7f53e7ffa5b372554cf34a81f8b1b818f199d7d012d02adbf4b9d20916c36e332bde3f4234d943b61e17053346bd9eff97dcc