08b99e99ead4c703470efdf9e455907f2fdc333c4beed5de8d6bec94d75b67e2

Analysis

max time kernel
56s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

784ca02643e990429c39a7c440d2f68f.exe
Size

19.1MB
MD5

784ca02643e990429c39a7c440d2f68f
SHA1

fb5f994173c4897d46405f4831d65802f5cd14c1
SHA256

08b99e99ead4c703470efdf9e455907f2fdc333c4beed5de8d6bec94d75b67e2
SHA512

061b9082de1bfc28d67212317f5ccdd0820003a273f416583e48ebe2f10e656c88a54fc4d20dee33ae8b463c50327a1e54efc3860f34bc2bc9d049bc333fec88
SSDEEP

393216:NiC/Iv06yIWmKiX8JwnQGgknE2Lf4WxTzCWI98rJZpARXTWQ7FKZ:uvxyIrTX8JQdnvLf/TdTAR3BKZ

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	CDS.exe

Executes dropped EXE 3 IoCs

pid	Process
4516	CDS.exe
4476	crypted.exe
4512	CDS.exe

Loads dropped DLL 2 IoCs

pid	Process
4516	CDS.exe
4512	CDS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	784ca02643e990429c39a7c440d2f68f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	crypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3028	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2204	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2204	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4516	CDS.exe
4516	CDS.exe
4512	CDS.exe
4512	CDS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4516	2196	784ca02643e990429c39a7c440d2f68f.exe	94
PID 2196 wrote to memory of 4516	2196	784ca02643e990429c39a7c440d2f68f.exe	94
PID 2196 wrote to memory of 4516	2196	784ca02643e990429c39a7c440d2f68f.exe	94
PID 4516 wrote to memory of 4476	4516	CDS.exe	96
PID 4516 wrote to memory of 4476	4516	CDS.exe	96
PID 4516 wrote to memory of 4476	4516	CDS.exe	96
PID 4476 wrote to memory of 4512	4476	crypted.exe	102
PID 4476 wrote to memory of 4512	4476	crypted.exe	102
PID 4476 wrote to memory of 4512	4476	crypted.exe	102

C:\Users\Admin\AppData\Local\Temp\784ca02643e990429c39a7c440d2f68f.exe
"C:\Users\Admin\AppData\Local\Temp\784ca02643e990429c39a7c440d2f68f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe"
        5⤵
        
        PID:3068
      - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CDS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CDS.exe
        6⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\crypted.exe"
        7⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CDS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CDS.exe
        8⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\crypted.exe"
        9⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\CDS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\CDS.exe
        10⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\crypted.exe"
        11⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\CSGO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CSGO.exe"
        12⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\CDS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\CDS.exe
        13⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\crypted.exe"
        14⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        15⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 2
        16⤵
        Runs ping.exe
        
        PID:3028
        
        C:\Windows\SysWOW64\csgo\csgo.exe
        
        "C:\Windows\SysWOW64\csgo\csgo.exe"
        16⤵
        
        PID:2360

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x3ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

Filesize
1024KB

MD5
1c2e27721e71436e86c04d4a931a1742

SHA1
b3abb6a3198ea8e4bb7f060b7bbc07749da7b552

SHA256
a66b7343334e3e27658bb7db4cd07cd595d755711a8cde118f6be911e73a3dcf

SHA512
90c9edda027ac0a9ef8ac9e2e3ec49c82073c47311d6f48d28b6a2f0f00b63a7b347af74c5ebf010b4b42020bd712fde02a1dfb34e2a9a2cbc46fb6851ad56d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

Filesize
1018KB

MD5
ee156804b0f26eea7e33dea891e47f18

SHA1
9a140d56881f420c8c5a80581fdc0a53472a6bff

SHA256
742d46d944e9ff3bc25c725367ad9bfd1ac8cd4a7c9fbc78d7ca8e5d0c11715b

SHA512
5f038dab46ecb6a7dfe1243cf1ca59e9200afc92506e2da9c94a264e84663f4cd62b4374dda87be3c6662c9b813a7b81eac49fbd12c0ca63539600538164b1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

Filesize
384KB

MD5
6ae1fd6add01ff3640202ccf86a040c8

SHA1
fbd839e93c2f610b61bddf52aea16bcd7b79d0a2

SHA256
d8fb0eaef583c3eb3d9e91d4bd821a3d01cb7aa023eac2ce140573e54629f226

SHA512
b5dd906cc8668b962e3786c51e26166e82027f6c87af8fb25ed660b051df63dbaca3759db8abd8be22a9eed4c2090dc6eee574e0705f6ad564f05a21ccab7695

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
1024KB

MD5
66d0e2bc8ef5d715107bffe6c326b102

SHA1
d4142757d4e3a5bff9661cecee3e994e22d68667

SHA256
05b46dacaa066c966a19f0d6623d45fcbabd59ba68f64e4868267223f176e2bf

SHA512
9667dae93e588e6bad06d6027b5ae55051e2d8ace635bf1ae13edfd3fd5c52944cbaea1b380f8571aa7ae3a968fbebec571604238914d4b9a4172e692347cf9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
1.0MB

MD5
daf649c5042bb5f2354a860a964bc5ed

SHA1
a78216628471bb62e6a0b4f64165e9fff9124854

SHA256
301e1d83894ecb992e7ac9144d48a10a24fc12b2a955a2f2754db27254163317

SHA512
b3bef66ba906e45d80321ef652407bc19eeae8a68be427b4c8c51ec0d5e2a951fe656941d0dfe7ba8e7ec429292aacd4a9205680d7730b2063ee6980baa73ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
1.1MB

MD5
ed2c63293451656f81d6904baf9024cd

SHA1
b55add109388ca9340476d53a38057b7d110b261

SHA256
6ae375c6a57f7e2b7565fc82b9f09aaf5a1a279f6bcedca66c0bcceebcaa4ad6

SHA512
070aecd0a874da35309f3d5d2cffc0ae8242f40697f43a8061ad9ec9346619d1be9ffdf170759317662e1a6d9bc19262f27652e7773cecddd434bca84566f846

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe

Filesize
381KB

MD5
7bd258e3d02abdc016ce21fe2c24da69

SHA1
c7c6fefdfe8aad2b761b2a0190935f4cd73d37ce

SHA256
b55473eeeed1a2e6089b62174337252047b11141a535cb919389f97fc82c62f7

SHA512
b25e154caa1fa0eebf2b69c5c3702b37f7e516c69b9c44fdd9ae940a67eed73dd39043141db7f13312b9b730da283ce67d55996d2b26bb1eafb8e84aed5eab35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe

Filesize
92KB

MD5
ff2a1341671e18b8353592683b257fdc

SHA1
94511d45b030ad1534f96eb5337d2e9a3fb3915b

SHA256
76b11dddbf44cb1305af0bbb2bb4832ffd83bde58e6de4cfa2909cde03afee64

SHA512
804ddc3bf56d79048ad0b4285bbe69804a86cfc5a09a8ba30229c80327d45351e4b5589f93016d5bafcf0118d542755b81a6104cef2e20828f20a1059a7ff2ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads