Analysis
-
max time kernel
75s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2023 13:34
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20220812-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Extracted
aurora
45.9.74.11:8081
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
voiceadequovl.exevoiceadequovl.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation voiceadequovl.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation voiceadequovl.exe -
Executes dropped EXE 4 IoCs
Processes:
voiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exepid Process 4264 voiceadequovl.exe 1340 voiceadequovl.exe 2228 voiceadequovl.exe 400 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
voiceadequovl.exedescription pid Process procid_target PID 1340 set thread context of 400 1340 voiceadequovl.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exevoiceadequovl.exepowershell.exepid Process 5056 powershell.exe 5056 powershell.exe 1340 voiceadequovl.exe 1340 voiceadequovl.exe 2184 powershell.exe 2184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 1340 voiceadequovl.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeIncreaseQuotaPrivilege 5100 wmic.exe Token: SeSecurityPrivilege 5100 wmic.exe Token: SeTakeOwnershipPrivilege 5100 wmic.exe Token: SeLoadDriverPrivilege 5100 wmic.exe Token: SeSystemProfilePrivilege 5100 wmic.exe Token: SeSystemtimePrivilege 5100 wmic.exe Token: SeProfSingleProcessPrivilege 5100 wmic.exe Token: SeIncBasePriorityPrivilege 5100 wmic.exe Token: SeCreatePagefilePrivilege 5100 wmic.exe Token: SeBackupPrivilege 5100 wmic.exe Token: SeRestorePrivilege 5100 wmic.exe Token: SeShutdownPrivilege 5100 wmic.exe Token: SeDebugPrivilege 5100 wmic.exe Token: SeSystemEnvironmentPrivilege 5100 wmic.exe Token: SeRemoteShutdownPrivilege 5100 wmic.exe Token: SeUndockPrivilege 5100 wmic.exe Token: SeManageVolumePrivilege 5100 wmic.exe Token: 33 5100 wmic.exe Token: 34 5100 wmic.exe Token: 35 5100 wmic.exe Token: 36 5100 wmic.exe Token: SeIncreaseQuotaPrivilege 5100 wmic.exe Token: SeSecurityPrivilege 5100 wmic.exe Token: SeTakeOwnershipPrivilege 5100 wmic.exe Token: SeLoadDriverPrivilege 5100 wmic.exe Token: SeSystemProfilePrivilege 5100 wmic.exe Token: SeSystemtimePrivilege 5100 wmic.exe Token: SeProfSingleProcessPrivilege 5100 wmic.exe Token: SeIncBasePriorityPrivilege 5100 wmic.exe Token: SeCreatePagefilePrivilege 5100 wmic.exe Token: SeBackupPrivilege 5100 wmic.exe Token: SeRestorePrivilege 5100 wmic.exe Token: SeShutdownPrivilege 5100 wmic.exe Token: SeDebugPrivilege 5100 wmic.exe Token: SeSystemEnvironmentPrivilege 5100 wmic.exe Token: SeRemoteShutdownPrivilege 5100 wmic.exe Token: SeUndockPrivilege 5100 wmic.exe Token: SeManageVolumePrivilege 5100 wmic.exe Token: 33 5100 wmic.exe Token: 34 5100 wmic.exe Token: 35 5100 wmic.exe Token: 36 5100 wmic.exe Token: SeIncreaseQuotaPrivilege 3800 WMIC.exe Token: SeSecurityPrivilege 3800 WMIC.exe Token: SeTakeOwnershipPrivilege 3800 WMIC.exe Token: SeLoadDriverPrivilege 3800 WMIC.exe Token: SeSystemProfilePrivilege 3800 WMIC.exe Token: SeSystemtimePrivilege 3800 WMIC.exe Token: SeProfSingleProcessPrivilege 3800 WMIC.exe Token: SeIncBasePriorityPrivilege 3800 WMIC.exe Token: SeCreatePagefilePrivilege 3800 WMIC.exe Token: SeBackupPrivilege 3800 WMIC.exe Token: SeRestorePrivilege 3800 WMIC.exe Token: SeShutdownPrivilege 3800 WMIC.exe Token: SeDebugPrivilege 3800 WMIC.exe Token: SeSystemEnvironmentPrivilege 3800 WMIC.exe Token: SeRemoteShutdownPrivilege 3800 WMIC.exe Token: SeUndockPrivilege 3800 WMIC.exe Token: SeManageVolumePrivilege 3800 WMIC.exe Token: 33 3800 WMIC.exe Token: 34 3800 WMIC.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.exedescription pid Process procid_target PID 4216 wrote to memory of 4264 4216 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 79 PID 4216 wrote to memory of 4264 4216 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 79 PID 4216 wrote to memory of 4264 4216 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 79 PID 4264 wrote to memory of 1340 4264 voiceadequovl.exe 80 PID 4264 wrote to memory of 1340 4264 voiceadequovl.exe 80 PID 4264 wrote to memory of 1340 4264 voiceadequovl.exe 80 PID 1340 wrote to memory of 5056 1340 voiceadequovl.exe 87 PID 1340 wrote to memory of 5056 1340 voiceadequovl.exe 87 PID 1340 wrote to memory of 5056 1340 voiceadequovl.exe 87 PID 1340 wrote to memory of 3804 1340 voiceadequovl.exe 93 PID 1340 wrote to memory of 3804 1340 voiceadequovl.exe 93 PID 1340 wrote to memory of 3804 1340 voiceadequovl.exe 93 PID 3804 wrote to memory of 2184 3804 cmd.exe 94 PID 3804 wrote to memory of 2184 3804 cmd.exe 94 PID 3804 wrote to memory of 2184 3804 cmd.exe 94 PID 1340 wrote to memory of 2228 1340 voiceadequovl.exe 95 PID 1340 wrote to memory of 2228 1340 voiceadequovl.exe 95 PID 1340 wrote to memory of 2228 1340 voiceadequovl.exe 95 PID 1340 wrote to memory of 400 1340 voiceadequovl.exe 96 PID 1340 wrote to memory of 400 1340 voiceadequovl.exe 96 PID 1340 wrote to memory of 400 1340 voiceadequovl.exe 96 PID 1340 wrote to memory of 400 1340 voiceadequovl.exe 96 PID 1340 wrote to memory of 400 1340 voiceadequovl.exe 96 PID 1340 wrote to memory of 400 1340 voiceadequovl.exe 96 PID 1340 wrote to memory of 400 1340 voiceadequovl.exe 96 PID 1340 wrote to memory of 400 1340 voiceadequovl.exe 96 PID 1340 wrote to memory of 400 1340 voiceadequovl.exe 96 PID 1340 wrote to memory of 400 1340 voiceadequovl.exe 96 PID 1340 wrote to memory of 400 1340 voiceadequovl.exe 96 PID 400 wrote to memory of 5100 400 voiceadequovl.exe 98 PID 400 wrote to memory of 5100 400 voiceadequovl.exe 98 PID 400 wrote to memory of 5100 400 voiceadequovl.exe 98 PID 400 wrote to memory of 580 400 voiceadequovl.exe 100 PID 400 wrote to memory of 580 400 voiceadequovl.exe 100 PID 400 wrote to memory of 580 400 voiceadequovl.exe 100 PID 580 wrote to memory of 3800 580 cmd.exe 101 PID 580 wrote to memory of 3800 580 cmd.exe 101 PID 580 wrote to memory of 3800 580 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵
- Executes dropped EXE
PID:2228
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:3836
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:4948
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD50a17f096546385df3c09ab7b323a5974
SHA1919f11eff329ff849c0cb5277f6d40bf470d0fc7
SHA256bd93ce4455de76d6a11e0a7bf07422f201485afd4ec1d142a6da9ab7e9ba1fc7
SHA5128bc89b571c5c543cf03588689949f4b1614b727237638bf8b96d61f5ae92ef44b20cfb3e2e1dd1b56fdf0e0daab425ab35fe3a00e132d4546e819a4c13a8f0fd
-
Filesize
171.8MB
MD5edaccf0f5fe46665a08f46416be2c512
SHA1768334d2a5c9ccc554e20593e6bf3a00a19bf346
SHA256d405b95511bc5498b98a4fbe07becfc061c2d5a819a28f123ec561c5ac9982bc
SHA51214ce030e0898cc824f765bcbd98656596ec5e3f91b1100b5fbfb7199cef39ab67d349a101be40ab5baba5e79a2a5a61270374bff72d7ea6f42bededf0b10a9d4
-
Filesize
140.7MB
MD5b3e8f2a6ffe842eea3571b6c2fe7052b
SHA13cba9e2831806ee00e10c39033b171e4bc53240f
SHA256791b6cedc0a50d2190776b7a6e27bb8b454d66037d26799f3af910245636b86e
SHA51229cae014af667b06d7539855c527e7b0b0b686ae3498d636399205b99dde858bc4ac79114d22a52ebadeb2453d491e4f8aa287ffa77e80afb4e1a41cbff776c0
-
Filesize
123.8MB
MD5580731ff034e277d56b421ba4c15ea48
SHA1e68d09553c49c4e9b5704592b8c6eae274416c7c
SHA256bbec475243e96d82e8bbd07278ad8ea74a25c017afbc8df9537ac47e69f9668b
SHA5123287c20f6695458b8047e7070a84e04e3699881a7b6caa22f76a8c917831f4afaef1335ac60a389462e8706375b62ffc914e26cb467a246a5e44497830ae590c
-
Filesize
114.5MB
MD5f959065f68d94e586c0a4c7337f1a392
SHA1b5b0e17880936095f2028e613be8a01d77570dac
SHA256fc49f1d19fad37467335f959e878cdd2eba5bc76b9121006ae00b753704a9617
SHA51298b3af35cd6d26fd00baa30a63b545aca5ec43e5ec560e5be7841a1f5e4154a5fe4f59dd10dc495824d7da2cfb985349c80c68107c925c7305995174405f49a2
-
Filesize
68.6MB
MD5426d40be03968e6fdd30d7281338b275
SHA152cb1472fe40cd2528aa96680f9d02b833a2f729
SHA25649bbf2d1415b022dc9d04fd073653ecc3ff06e2c3286a923be721c9c6a936a93
SHA51264e3d30d4a6363354ab30b18a5788064c43331f0f9e5dc58a4ee6f68156ea69cb01097361b77b7f1953bcad64af5f0d5757043a83b6c5f527c266ea90428b467
-
Filesize
67.2MB
MD54a5fb4b46751ce473e50a40f7e53cc13
SHA18b4e670a689e17435c44d988a8a02d7b7d41c093
SHA25666dfab22330f16aac24ac6183aa90e2a698efc2da4b27c60a065a88ee7540357
SHA5129d215aa918a16fc426d0fa44458b19eb8511304aa0863e437fd548f02b30e337cc074f3f660aa5ea7277cebb348d4e9db9fc3cbfbcc2c4ff4d2d98cc7c6b8555