1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b

General

Target

1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b.exe
Size

843KB
MD5

a194de24dfbba6afe8153b8a7d593e7e
SHA1

dd9e65550462722c10a07a6018ddc3fade4b1406
SHA256

1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b
SHA512

4f702036655b07112ccd9effc1602b92e1ec08edfe32a3ff649423a0ee6cc9a7897fb1404c13a3569e1bf1cd3d9d341d5f179038bb4c3f769c4472feb5567e20
SSDEEP

24576:yxYS04YNEMuExDiU6E5R9s8xY/2l/dqLc83oIbt+ri:yxA4auS+UjfU2TAt3oIbt+r

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2168	AudioDriver.exe

Loads dropped DLL 1 IoCs

pid	Process
2240	1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe
2168	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	AudioDriver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2168	AudioDriver.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2168	AudioDriver.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2168	2240	1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b.exe	28
PID 2240 wrote to memory of 2168	2240	1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b.exe	28
PID 2240 wrote to memory of 2168	2240	1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b.exe	28
PID 2240 wrote to memory of 2168	2240	1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b.exe	28

C:\Users\Admin\AppData\Local\Temp\1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b.exe
"C:\Users\Admin\AppData\Local\Temp\1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
821KB

MD5
999ee84f3d506e3413c8fa2d2b6e1eee

SHA1
1153f10ed80cdbc93bec3780cf9dc909ba724b68

SHA256
b2b51bd33016357130f7bc420a439963af8d95e57b42788e1e3bb7fdf46c1d1b

SHA512
80c369e87a8fae3734889f2628a4c80bb7e97ddf40a51ce6a7a0d71fdb0b1cc3d5059dc4444e1536e69575ed692356c70bc6308bfa53f0a7bf51c66b3e9ca996

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
843KB

MD5
a194de24dfbba6afe8153b8a7d593e7e

SHA1
dd9e65550462722c10a07a6018ddc3fade4b1406

SHA256
1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b

SHA512
4f702036655b07112ccd9effc1602b92e1ec08edfe32a3ff649423a0ee6cc9a7897fb1404c13a3569e1bf1cd3d9d341d5f179038bb4c3f769c4472feb5567e20

Download Submit
memory/2168-21-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download
memory/2168-20-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-19-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/2168-16-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-18-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download
memory/2168-17-0x0000000000F80000-0x000000000105A000-memory.dmp

Filesize
872KB

Download
memory/2240-4-0x0000000000BE0000-0x0000000000C2C000-memory.dmp

Filesize
304KB

Download
memory/2240-8-0x0000000002130000-0x000000000217E000-memory.dmp

Filesize
312KB

Download
memory/2240-5-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/2240-1-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-15-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-3-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2240-2-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/2240-0-0x0000000000C50000-0x0000000000D2A000-memory.dmp

Filesize
872KB

Download

Analysis

Sharing