6733c00c0df10ca2d054311055e6ca40a521ae2f8ce0624d0cd1bbd76567d552

Analysis

max time kernel
154s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

075145c14e6928a8c24f9cf24bb6e64b.exe
Size

324KB
MD5

075145c14e6928a8c24f9cf24bb6e64b
SHA1

f8d979737f804b49496a2a0602b300064f1ba0f9
SHA256

6733c00c0df10ca2d054311055e6ca40a521ae2f8ce0624d0cd1bbd76567d552
SHA512

6830fbf6fed2b3789c52badc202949f0b22246913d2e29b497e1b66781c099d0432d8102f3163b8f5d92df4ad4cc7f90c6b013252e6a5954d3f8ecd6b4258bc6
SSDEEP

6144:ilCtShNJh1AOJuhH2YeI4zsdxJFGDpBGuHthrCXuJqZOfPxzGi88ge:NEJhiOUH2YeI4wdFQpBHHCXVZSxzN88R

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	075145c14e6928a8c24f9cf24bb6e64b.exe

Executes dropped EXE 3 IoCs

pid	Process
3720	Keygen.exe
1100	7za.exe
448	ic1.exe

Loads dropped DLL 1 IoCs

pid	Process
2724	075145c14e6928a8c24f9cf24bb6e64b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1652	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 3720	2724	075145c14e6928a8c24f9cf24bb6e64b.exe	93
PID 2724 wrote to memory of 3720	2724	075145c14e6928a8c24f9cf24bb6e64b.exe	93
PID 2724 wrote to memory of 3720	2724	075145c14e6928a8c24f9cf24bb6e64b.exe	93
PID 2724 wrote to memory of 1100	2724	075145c14e6928a8c24f9cf24bb6e64b.exe	91
PID 2724 wrote to memory of 1100	2724	075145c14e6928a8c24f9cf24bb6e64b.exe	91
PID 2724 wrote to memory of 1100	2724	075145c14e6928a8c24f9cf24bb6e64b.exe	91
PID 2724 wrote to memory of 448	2724	075145c14e6928a8c24f9cf24bb6e64b.exe	95
PID 2724 wrote to memory of 448	2724	075145c14e6928a8c24f9cf24bb6e64b.exe	95

C:\Users\Admin\AppData\Local\Temp\075145c14e6928a8c24f9cf24bb6e64b.exe
"C:\Users\Admin\AppData\Local\Temp\075145c14e6928a8c24f9cf24bb6e64b.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\Keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Users\Admin\AppData\Local\Temp\ic1.exe
  "C:\Users\Admin\AppData\Local\Temp\ic1.exe"
  2⤵
  - Executes dropped EXE
  PID:448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x440
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
82KB

MD5
77719d8ba7f0bc4e3026e7b68e8d2a48

SHA1
97e3c6ed3891cf8ece7d5a6730635ec79d11f78c

SHA256
eacb95bff9a106c890240d9630e37fedb47a1fdb2e2b1ca568c17f9d94cdd5c5

SHA512
1f47ef7096eb3655cebc660882bca440587f37ea0e6154935ef2975e95d8572c60f0d333f526e86638e41e6dd3b2213d3abb3d3173a57091423998a24d32d48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
89KB

MD5
7b3a7ab785d925095146e2b6743b5409

SHA1
bf4ffcca71bbb5e62df880b7cf3317b23ec93aa5

SHA256
330418e0b5df3a0321d307473d7e134de2304aee1941f4fb79add5b03cded29e

SHA512
0798af61a5d0d7176b99381c74ba4917b5737c63ddadf440e6c431d70ea4cca1070d6fc5146fb26e69186f37bac3b21bf08fe91a230167139e8716c482de347b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keygen.exe

Filesize
166KB

MD5
8879ab10558b8df58bc7c23ec8a4999c

SHA1
8c8168af29207b5cf2c8fc1aa7d815fc139e7efc

SHA256
6fda7d2da32e218d4909f4538198de3b55b15d03e28f835b2014d53d98ec7e21

SHA512
2a07213bdac6f96a0c009cfba640befb89e6fa2370e67b08001fe77af3e89cd0aa4f381b4d8c5e3f8fa785196489c75cd18d8abdadd3f158de7f662bd72a284f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keygen.exe

Filesize
134KB

MD5
e445ff4ab61afc33b5a64d81b3fe73c3

SHA1
08cd5a6111840947a1070776677fd10e21deae99

SHA256
28a05274fa6eea49a02ba1fe2efa73dd6b2aa980aa3430475fc2ca8f0587c308

SHA512
cdca2adba2a46cb03edcc7d8d523384ca5897714ff55e5294737854607934ab625476d7b7446c7190385504c94ca4276e9d8d26f8679b78aa8f253fb19852a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
7KB

MD5
b7e6d80b93ee7c6a999f37d31ef27bc3

SHA1
29f7fd90835d168a3293f0964bc307b17e12ddba

SHA256
71c770f1bd0849e0abdda729ba85f81e7d02f1f9507526492d87cde7f04cdf82

SHA512
802e370281c6671f67e61d86b4667239d03349b6d0202030e78437b9fdc9bb97e1c5f6391a1ee733bf17c867a31b51f84e7330fdba02dd4358dd09344bc820d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic1.exe

Filesize
9KB

MD5
92140b427487c2478650a6a9c2368a7c

SHA1
be21efe73466fabb29608471b4dc611960ceadd0

SHA256
6d56cd96cf8cc1d59b9d76cc5d1fd2fea8d685a06f8cc1dfb1b0ede761d67bab

SHA512
1e7241c69d8485396a67756ec0428e083aeb3937fb22a7925772420b97d4880fac27d6eaefdf1cb20a4c5072edd4ee9536c7e991a9bae1761e04602f2c06fdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic1.exe

Filesize
5KB

MD5
761a8d99fe68bbf3608b011869c3fd57

SHA1
c08f58f0c9f7b5c47630483447f38b9a86e5e675

SHA256
79f256e4e0723126f1228a6e72d61109ca3d7d6956e2100fc4e4da26d645a13c

SHA512
24f199ce8c3d66b954f3ce7e4edf1184083e2b2e8092e966c54b216655d57d00bf6cf3b8557feb7bd383a55ebf436caf01ab70c1432f403c91194e3aae8527b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfAD97.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfAD97.tmp\ExecDos.dll

Filesize
1KB

MD5
ea06d02aa6cb071ea9748b62c366c46f

SHA1
26b5e34fc4c3bee287a8fdea9304732915f9370f

SHA256
838e3b1c325b667111bf0eac98a14a2012d01f3cdc9bc0577d43936fadeba8e6

SHA512
1f3b9b4232c97e35e587ac31ba28e5d0f6722402486306df7af6c9a13a1b1749b6de882e1da07bc727be058e02697b617c79331d704904e661558854269dd0b7

Download Submit
memory/448-30-0x00007FF948B00000-0x00007FF9494A1000-memory.dmp

Filesize
9.6MB

Download
memory/448-39-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/448-31-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/448-27-0x000000001B6E0000-0x000000001B786000-memory.dmp

Filesize
664KB

Download
memory/448-29-0x000000001BCA0000-0x000000001C16E000-memory.dmp

Filesize
4.8MB

Download
memory/448-32-0x000000001C250000-0x000000001C2EC000-memory.dmp

Filesize
624KB

Download
memory/448-33-0x00000000010F0000-0x00000000010F8000-memory.dmp

Filesize
32KB

Download
memory/448-34-0x000000001C3B0000-0x000000001C3FC000-memory.dmp

Filesize
304KB

Download
memory/448-35-0x000000001C460000-0x000000001C4C0000-memory.dmp

Filesize
384KB

Download
memory/448-28-0x00007FF948B00000-0x00007FF9494A1000-memory.dmp

Filesize
9.6MB

Download
memory/448-40-0x00007FF948B00000-0x00007FF9494A1000-memory.dmp

Filesize
9.6MB

Download
memory/448-41-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/448-42-0x00007FF948B00000-0x00007FF9494A1000-memory.dmp

Filesize
9.6MB

Download
memory/448-43-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/448-44-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/448-45-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/448-46-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/448-47-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download