d00b8527779d3014b49708450eaed5cff5804f68944fad8c501f81c7ef83713e

General

Target

121f406624b9995f3f19c5dcfeab6a66.exe
Size

215KB
MD5

121f406624b9995f3f19c5dcfeab6a66
SHA1

1327fa593578ed4b90743427aa839293e25166f7
SHA256

d00b8527779d3014b49708450eaed5cff5804f68944fad8c501f81c7ef83713e
SHA512

5d3686b098838b50e5d01d80b7594f54a82bf9f9f716d7a2e9cba9049adb39899e48d29592a73146248728e603aefd72acda70c4ad1985266f1008660cbbb9a4
SSDEEP

6144:LS/ECKgcKNc+fwb1/d8eLCWLz8/Gs+nFeHT:hvgIdKeOWXyGs+nOT

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	121f406624b9995f3f19c5dcfeab6a66.exe

Executes dropped EXE 3 IoCs

pid	Process
3108	~DP4FE5.exe
5072	~DP50C1.exe
4656	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~DP4FE5.exe"	~DP4FE5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\winlogon.exe"	winlogon.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	~DP4FE5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2308	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2308	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4656	winlogon.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 3108	3308	121f406624b9995f3f19c5dcfeab6a66.exe	21
PID 3308 wrote to memory of 3108	3308	121f406624b9995f3f19c5dcfeab6a66.exe	21
PID 3308 wrote to memory of 3108	3308	121f406624b9995f3f19c5dcfeab6a66.exe	21
PID 3308 wrote to memory of 5072	3308	121f406624b9995f3f19c5dcfeab6a66.exe	20
PID 3308 wrote to memory of 5072	3308	121f406624b9995f3f19c5dcfeab6a66.exe	20
PID 3308 wrote to memory of 5072	3308	121f406624b9995f3f19c5dcfeab6a66.exe	20
PID 3108 wrote to memory of 4656	3108	~DP4FE5.exe	42
PID 3108 wrote to memory of 4656	3108	~DP4FE5.exe	42
PID 3108 wrote to memory of 4656	3108	~DP4FE5.exe	42

C:\Users\Admin\AppData\Local\Temp\121f406624b9995f3f19c5dcfeab6a66.exe
"C:\Users\Admin\AppData\Local\Temp\121f406624b9995f3f19c5dcfeab6a66.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\~DP50C1.exe
  "C:\Users\Admin\AppData\Local\Temp\~DP50C1.exe"
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\~DP4FE5.exe
  "C:\Users\Admin\AppData\Local\Temp\~DP4FE5.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\winlogon.exe
    C:\Windows\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:4656

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x3fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DP4FE5.exe

Filesize
82KB

MD5
8619b4d2c237c044c7a5b24e00140411

SHA1
60ce620609c626bada9226fffc34a6cc276b5a39

SHA256
ed90fa6fa86577d0d2c7b7d9e241e65f827bd0986f2a3ca0007a02d50c8593f6

SHA512
cea0d0285fd6cc62f18587bc09db05cbd2a51c015d803dc360be5101bc41528fb22be5f1bb9769559041e9317a998c604475eac0b53d8a1dc948584a57228b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DP4FE5.exe

Filesize
102KB

MD5
59fb30ba8347091eaeeb3fa215962cda

SHA1
a74d2a2e9e6e89fd22c478b330f319991853f0eb

SHA256
b0a8d7ee2f13965578ecc03bdd510e1ce1b0fa2a2aa64811b04a9efb1d866eb9

SHA512
17fbebf65325bc1abc7c582e4640160ec63b03164bf8b24d00eef8cf9a9e4bf7c37c0d6bce3b99d62c0003f456fa8f338075dc0a532649b4e6197d4548ab25cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DP4FE5.exe

Filesize
78KB

MD5
0741d7af5ea013ec4896f2fe72c13fb0

SHA1
c9157d5bb45f9b3b45ddfff8d703c879d244965f

SHA256
ed3dbdb224a4380ac24953103cee8b64c27acb8d0031e76eb4335185e0a637f8

SHA512
b123d3e97789b8eb4189269ef7bb0c068e13165e44e2fe4fa45f158af52f9f72f5c37272847341c81d4d2bb5a11d80e92f3439d408569038f36da1d1bf758f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DP50C1.exe

Filesize
37KB

MD5
2603caec69a049b1ce63cf5ac4974112

SHA1
11d02dfc9cbfdc35d70c5d4bf43aa0c8a2a6dd52

SHA256
7c51adf29f475cfe942c4380e8ef1e19bba6cde454c8a94a461943a4d11324ad

SHA512
07ac64c5a015d6185f164fdf1f8e5adcd3cb58d12d2b2c33abe544041d1f4e627c8b9b3340cd095e3c35c0f0dd15b9dc56257e22b7a96407c3e1f4142261584b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DP50C1.exe

Filesize
41KB

MD5
e9bcc69aefb08897ee5cb81546253705

SHA1
8435b204b98fbe563654e65ab58a1e0447c87f1c

SHA256
f1850e5c8eef81bd5080e303754f833b4a27498f6f0a9cdea730e16ed1ffcfa8

SHA512
0e99c859b84ed100de4df3b0890e00cf8cd33a7b7624278faccf7c903c049b513b3495518c1ad6ec54e83be2dc6077cdf3c41637a0ceecf84762dd59d9b6cb4d

Download Submit
C:\Windows\winlogon.exe

Filesize
156KB

MD5
b524995de3a3a7fc987ce779cef59ff2

SHA1
6e6a0e733dd1fa27e98e0c077a8a0042e9bdf522

SHA256
92d895fa1e0eac56231f89fabf80db4d666afbf2369ea42f5fba5d2dabd0b2c0

SHA512
377dd960650514159f6e7f38007b5ed9da36e5f4bb970da64fed5bb82787877e094deeadb0fcfbbbf81be775f4a28b2078bab1e4efa35f5213598c11d32bb15e

Download Submit
memory/3108-13-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3108-22-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3308-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4656-23-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5072-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-27-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-34-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5072-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads