73f4006f8f42d1c5c4644c02513082b5e0c5e15465c667c8de0e2d4a652b1dc4

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5853abf213e5cdaeae074d9dbbf6098b.exe
Size

226KB
MD5

5853abf213e5cdaeae074d9dbbf6098b
SHA1

d4c6d38e5ad574c4e07b33b3c342be45726af04d
SHA256

73f4006f8f42d1c5c4644c02513082b5e0c5e15465c667c8de0e2d4a652b1dc4
SHA512

2ac3eb5ff36c1dbf2d8a5ec7543ff31449f0da462cb35576a2ab0bb73ae79feac1d91fb3c6f92b2e58cb962d4bcfa0fe8bde16229e199709d16a4eadc47ff691
SSDEEP

6144:C1QLJQL0gTTuQ0quhsf7KjMdcornRZAArCgLADMJ82PeAUyFd:x2oITuQ0qugKjzEfbrCnm82PevS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	5853abf213e5cdaeae074d9dbbf6098b.exe

Executes dropped EXE 1 IoCs

pid	Process
1976	generator.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\directx.exe	5853abf213e5cdaeae074d9dbbf6098b.exe
File opened for modification	C:\Windows\SysWOW64\directx.exe	5853abf213e5cdaeae074d9dbbf6098b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2552	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1976	2828	5853abf213e5cdaeae074d9dbbf6098b.exe	60
PID 2828 wrote to memory of 1976	2828	5853abf213e5cdaeae074d9dbbf6098b.exe	60
PID 2828 wrote to memory of 1976	2828	5853abf213e5cdaeae074d9dbbf6098b.exe	60

C:\Users\Admin\AppData\Local\Temp\5853abf213e5cdaeae074d9dbbf6098b.exe
"C:\Users\Admin\AppData\Local\Temp\5853abf213e5cdaeae074d9dbbf6098b.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\generator.exe
  "C:\Users\Admin\AppData\Local\Temp\generator.exe"
  2⤵
  - Executes dropped EXE
  PID:1976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\generator.exe

Filesize
163KB

MD5
ec264de3e9f120078e3f2533e51e1842

SHA1
cebb108a745c774d6ba93f9cf9516e54f06dca18

SHA256
efd903c2a5382b57068aa06022642d1cdaaba97591f1177503f47b0466f46016

SHA512
6095098f0c1610c9a2113938c8a7e7d0ab34d67da75d8d4d87aae1491c0d889ac79f72fd49a71ed2726e8b3183e1f5da8f1231b34b6d81c851e5ec13c3f75a97

Download Submit
memory/1976-14-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2828-0-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download