cb784822fcaa9dd262d06813105993fcb5d2e4ff1a5c0e129c60d4ca924e0ee0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

012755ccc0c4c25632653658c117cc3a.exe
Size

1.5MB
MD5

012755ccc0c4c25632653658c117cc3a
SHA1

20632a682d1cb5e5a6af8573c46fd2de04bb7747
SHA256

cb784822fcaa9dd262d06813105993fcb5d2e4ff1a5c0e129c60d4ca924e0ee0
SHA512

feb82c70215bdb39a5d32c1a2cc11f149ee710ceedd3a29a9d154c1481a545f75bea76e5ef30472a4512c7db6df9141a09faac9d04338e48d2e082a0c0639fdf
SSDEEP

24576:lqet3SdZ9xauWImtIfQ0d44Et22FcNUbl8R4OvJayv8lsnrKLs+rs4ied6Mp:VkdQSmtNxt2LNH4OvoyCErD+44iU6U

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	012755ccc0c4c25632653658c117cc3a.exe

Executes dropped EXE 2 IoCs

pid	Process
1080	obadah.exe
2780	obadah.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1080 set thread context of 2780	1080	obadah.exe	24

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2128	1080	WerFault.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	012755ccc0c4c25632653658c117cc3a.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3544	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2780	obadah.exe
2780	obadah.exe
2780	obadah.exe
2780	obadah.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3544	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4176	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4176	AUDIODG.EXE
Token: 33	3544	vlc.exe
Token: SeIncBasePriorityPrivilege	3544	vlc.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe
3544	vlc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1080	2028	012755ccc0c4c25632653658c117cc3a.exe	25
PID 2028 wrote to memory of 1080	2028	012755ccc0c4c25632653658c117cc3a.exe	25
PID 2028 wrote to memory of 1080	2028	012755ccc0c4c25632653658c117cc3a.exe	25
PID 1080 wrote to memory of 2780	1080	obadah.exe	24
PID 1080 wrote to memory of 2780	1080	obadah.exe	24
PID 1080 wrote to memory of 2780	1080	obadah.exe	24
PID 1080 wrote to memory of 2780	1080	obadah.exe	24
PID 1080 wrote to memory of 2780	1080	obadah.exe	24
PID 2028 wrote to memory of 3544	2028	012755ccc0c4c25632653658c117cc3a.exe	19
PID 2028 wrote to memory of 3544	2028	012755ccc0c4c25632653658c117cc3a.exe	19
PID 2780 wrote to memory of 3560	2780	obadah.exe	55
PID 2780 wrote to memory of 3560	2780	obadah.exe	55
PID 2780 wrote to memory of 3560	2780	obadah.exe	55
PID 2780 wrote to memory of 3560	2780	obadah.exe	55

C:\Users\Admin\AppData\Local\Temp\012755ccc0c4c25632653658c117cc3a.exe
"C:\Users\Admin\AppData\Local\Temp\012755ccc0c4c25632653658c117cc3a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\ÊäÊÇß ØíÇÒí.wmv"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3544
- C:\obadah.exe
  "C:\obadah.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 312
1⤵
- Program crash
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1080 -ip 1080
1⤵
PID:4224

C:\obadah.exe
C:\obadah.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\obadah.exe

Filesize
77KB

MD5
ade2d9fe0cecc4dffbaaf6fced5aeefc

SHA1
345023485a17eae171d92cac174151f21530e452

SHA256
fccb081986e5cf25e5f7ef9dd7bf9bb1da97f29aed3bdd7f8517f71b1d661c5f

SHA512
c1d7238c9c763f8789a9e9a6526de03d73bed45fe4b59a732f92f16956ec9aef849828f59b88b6605d9f131c7d1322a613164c740435989681670568f5a15420

Download Submit
C:\ÊäÊÇß ØíÇÒí.wmv

Filesize
386KB

MD5
350844efb6685786fe56ec0587042216

SHA1
511be8be567a919224395d46190acf547ece8efe

SHA256
d70b2ade77c2d8f88ecbf550f43052187ff23cb00516007384ab717b267d73eb

SHA512
7e40455374b41b9e35147c7878080cd1c4d6780662669c496573e8832097b072fd2e53146d1b84dec7fa0732efe26cb7b86225772ded98625f8a163bcc3c1a10

Download Submit
C:\ÊäÊÇß ØíÇÒí.wmv

Filesize
381KB

MD5
fcb8f6ea7ca8fd5392b695d750a4ac29

SHA1
113c53056d6f4d127aecc3f5f5b4b206bcaa505c

SHA256
af7d92398bd9d1bc6e0f492fb0e404eee11de8dc637cebf209fea4f149ae9e8c

SHA512
b3e17ea510bd4bf32499aa2f28da9820a03990a678c1f76813ff9492a497d80f6afbc156f48ad66808ee12d642545815431e974b79fadbbc44981c064a2ddfb9

Download Submit
memory/1080-30-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2028-18-0x0000000010000000-0x0000000010181000-memory.dmp

Filesize
1.5MB

Download
memory/2780-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2780-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2780-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2780-26-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/3544-31-0x00007FF7B4BF0000-0x00007FF7B4CE8000-memory.dmp

Filesize
992KB

Download
memory/3544-40-0x00007FF932290000-0x00007FF9322A1000-memory.dmp

Filesize
68KB

Download
memory/3544-42-0x00007FF92E4B0000-0x00007FF92E4EF000-memory.dmp

Filesize
252KB

Download
memory/3544-41-0x00007FF9231D0000-0x00007FF9233D0000-memory.dmp

Filesize
2.0MB

Download
memory/3544-57-0x00007FF932C10000-0x00007FF932C38000-memory.dmp

Filesize
160KB

Download
memory/3544-64-0x00007FF9218C0000-0x00007FF92190C000-memory.dmp

Filesize
304KB

Download
memory/3544-67-0x00007FF9214A0000-0x00007FF9216EB000-memory.dmp

Filesize
2.3MB

Download
memory/3544-66-0x00007FF9216F0000-0x00007FF921747000-memory.dmp

Filesize
348KB

Download
memory/3544-65-0x00007FF921750000-0x00007FF9218BB000-memory.dmp

Filesize
1.4MB

Download
memory/3544-63-0x00007FF921910000-0x00007FF921952000-memory.dmp

Filesize
264KB

Download
memory/3544-62-0x00007FF921960000-0x00007FF921972000-memory.dmp

Filesize
72KB

Download
memory/3544-78-0x00007FF91F890000-0x00007FF91F8A5000-memory.dmp

Filesize
84KB

Download
memory/3544-85-0x00007FF91F7A0000-0x00007FF91F7CB000-memory.dmp

Filesize
172KB

Download
memory/3544-84-0x00007FF91F7D0000-0x00007FF91F7E1000-memory.dmp

Filesize
68KB

Download
memory/3544-83-0x00007FF91F7F0000-0x00007FF91F805000-memory.dmp

Filesize
84KB

Download
memory/3544-82-0x00007FF91F810000-0x00007FF91F825000-memory.dmp

Filesize
84KB

Download
memory/3544-81-0x00007FF91F830000-0x00007FF91F842000-memory.dmp

Filesize
72KB

Download
memory/3544-80-0x00007FF91F850000-0x00007FF91F864000-memory.dmp

Filesize
80KB

Download
memory/3544-79-0x00007FF91F870000-0x00007FF91F883000-memory.dmp

Filesize
76KB

Download
memory/3544-77-0x00007FF91F8B0000-0x00007FF91F8C2000-memory.dmp

Filesize
72KB

Download
memory/3544-76-0x00007FF91F8D0000-0x00007FF91F8EB000-memory.dmp

Filesize
108KB

Download
memory/3544-75-0x00007FF91F8F0000-0x00007FF91F903000-memory.dmp

Filesize
76KB

Download
memory/3544-74-0x00007FF91F910000-0x00007FF91F93A000-memory.dmp

Filesize
168KB

Download
memory/3544-73-0x00007FF91F940000-0x00007FF91FA34000-memory.dmp

Filesize
976KB

Download
memory/3544-72-0x00007FF91FA40000-0x00007FF91FA53000-memory.dmp

Filesize
76KB

Download
memory/3544-71-0x00007FF91FA60000-0x00007FF91FA83000-memory.dmp

Filesize
140KB

Download
memory/3544-70-0x00007FF91FA90000-0x00007FF91FAA5000-memory.dmp

Filesize
84KB

Download
memory/3544-69-0x00007FF91FAD0000-0x00007FF91FCED000-memory.dmp

Filesize
2.1MB

Download
memory/3544-68-0x00007FF91FCF0000-0x00007FF9214A0000-memory.dmp

Filesize
23.7MB

Download
memory/3544-61-0x00007FF921980000-0x00007FF921AF0000-memory.dmp

Filesize
1.4MB

Download
memory/3544-60-0x00007FF921AF0000-0x00007FF921B07000-memory.dmp

Filesize
92KB

Download
memory/3544-59-0x00007FF921F30000-0x00007FF9220A8000-memory.dmp

Filesize
1.5MB

Download
memory/3544-58-0x00007FF92BEF0000-0x00007FF92BF14000-memory.dmp

Filesize
144KB

Download
memory/3544-55-0x00007FF932CA0000-0x00007FF932CB1000-memory.dmp

Filesize
68KB

Download
memory/3544-51-0x00007FF92E3F0000-0x00007FF92E408000-memory.dmp

Filesize
96KB

Download
memory/3544-50-0x00007FF92E410000-0x00007FF92E421000-memory.dmp

Filesize
68KB

Download
memory/3544-49-0x00007FF92E430000-0x00007FF92E44B000-memory.dmp

Filesize
108KB

Download
memory/3544-48-0x00007FF92E450000-0x00007FF92E461000-memory.dmp

Filesize
68KB

Download
memory/3544-47-0x00007FF92E470000-0x00007FF92E481000-memory.dmp

Filesize
68KB

Download
memory/3544-46-0x00007FF92E490000-0x00007FF92E4A1000-memory.dmp

Filesize
68KB

Download
memory/3544-56-0x00007FF932C40000-0x00007FF932C96000-memory.dmp

Filesize
344KB

Download
memory/3544-54-0x00007FF9220B0000-0x00007FF92211F000-memory.dmp

Filesize
444KB

Download
memory/3544-53-0x00007FF9293D0000-0x00007FF929437000-memory.dmp

Filesize
412KB

Download
memory/3544-52-0x00007FF92BF20000-0x00007FF92BF50000-memory.dmp

Filesize
192KB

Download
memory/3544-45-0x00007FF930890000-0x00007FF9308A8000-memory.dmp

Filesize
96KB

Download
memory/3544-44-0x00007FF932180000-0x00007FF9321A1000-memory.dmp

Filesize
132KB

Download
memory/3544-43-0x00007FF922120000-0x00007FF9231CB000-memory.dmp

Filesize
16.7MB

Download
memory/3544-39-0x00007FF932560000-0x00007FF93257D000-memory.dmp

Filesize
116KB

Download
memory/3544-38-0x00007FF932580000-0x00007FF932591000-memory.dmp

Filesize
68KB

Download
memory/3544-37-0x00007FF9325A0000-0x00007FF9325B7000-memory.dmp

Filesize
92KB

Download
memory/3544-36-0x00007FF9328C0000-0x00007FF9328D1000-memory.dmp

Filesize
68KB

Download
memory/3544-35-0x00007FF9329F0000-0x00007FF932A07000-memory.dmp

Filesize
92KB

Download
memory/3544-34-0x00007FF93BEE0000-0x00007FF93BEF8000-memory.dmp

Filesize
96KB

Download
memory/3544-33-0x00007FF9233D0000-0x00007FF923684000-memory.dmp

Filesize
2.7MB

Download
memory/3544-32-0x00007FF932D80000-0x00007FF932DB4000-memory.dmp

Filesize
208KB

Download
memory/3560-27-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3560-25-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download