7c63edc82b87870467fbd31439ef2da3d9537e5b5b7615f8a131742ecdfa7c57

General

Target

bf304c611ce17e42ce2ae9c7f4489235.exe
Size

892KB
MD5

bf304c611ce17e42ce2ae9c7f4489235
SHA1

34e52a15d43a93629bfb15251093e1183a2872cd
SHA256

7c63edc82b87870467fbd31439ef2da3d9537e5b5b7615f8a131742ecdfa7c57
SHA512

e4aaa6a1275252234930938fd63bf2c68f47fb58a6a6ae2d9d4813d968a0670c438046de2d42d266f7a5b1a87109587ef88204ade137de6162bb7d855d8bd4e7
SSDEEP

24576:NrBH1xsRe2vZUtKy/X+gg4hmmM1R4wWHSy4u7I:5BmnmhDgyWMnyy4us

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\systemz.exe"	regedit.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	bf304c611ce17e42ce2ae9c7f4489235.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	bf304c611ce17e42ce2ae9c7f4489235.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	bf304c611ce17e42ce2ae9c7f4489235.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2556	regedit.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2852	AUDIODG.EXE
Token: 33	2852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2852	AUDIODG.EXE
Token: 33	2920	bf304c611ce17e42ce2ae9c7f4489235.exe
Token: SeIncBasePriorityPrivilege	2920	bf304c611ce17e42ce2ae9c7f4489235.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2920	bf304c611ce17e42ce2ae9c7f4489235.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2920	bf304c611ce17e42ce2ae9c7f4489235.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe
2920	bf304c611ce17e42ce2ae9c7f4489235.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 3012	2920	bf304c611ce17e42ce2ae9c7f4489235.exe	28
PID 2920 wrote to memory of 3012	2920	bf304c611ce17e42ce2ae9c7f4489235.exe	28
PID 2920 wrote to memory of 3012	2920	bf304c611ce17e42ce2ae9c7f4489235.exe	28
PID 2920 wrote to memory of 3012	2920	bf304c611ce17e42ce2ae9c7f4489235.exe	28
PID 2920 wrote to memory of 1396	2920	bf304c611ce17e42ce2ae9c7f4489235.exe	30
PID 2920 wrote to memory of 1396	2920	bf304c611ce17e42ce2ae9c7f4489235.exe	30
PID 2920 wrote to memory of 1396	2920	bf304c611ce17e42ce2ae9c7f4489235.exe	30
PID 2920 wrote to memory of 1396	2920	bf304c611ce17e42ce2ae9c7f4489235.exe	30
PID 3012 wrote to memory of 2556	3012	cmd.exe	32
PID 3012 wrote to memory of 2556	3012	cmd.exe	32
PID 3012 wrote to memory of 2556	3012	cmd.exe	32
PID 3012 wrote to memory of 2556	3012	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\bf304c611ce17e42ce2ae9c7f4489235.exe
"C:\Users\Admin\AppData\Local\Temp\bf304c611ce17e42ce2ae9c7f4489235.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c regedit /s C:\Users\Admin\AppData\Local\Temp\syz.reg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\syz.reg
    3⤵
    - Adds Run key to start application
    - Runs .reg file with regedit
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" cmd /c copy "C:\Users\Admin\AppData\Local\Temp\bf304c611ce17e42ce2ae9c7f4489235.exe" C:\Users\Admin\AppData\Local\Temp\systemz.exe
  2⤵
  PID:1396

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x598
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6KMOG19\api[1].js

Filesize
850B

MD5
33d99cfc94db7d1ab5149b1e677b4c85

SHA1
ffec081b0a5b325f2b124ea8804ba0de9beae98c

SHA256
0e945fe9e80b82b1ac2e714f03672ed0c439e61e489430ba46623245399fca25

SHA512
315ed3f0edae2d3057be354d7d97ab298f51e791c03cd19c46d96e0116a6757033e509d92633eafba9365d6588af2b96cce4b0088020a88eac5086d07a0b3b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K224YIDM\recaptcha__en[1].js

Filesize
489KB

MD5
d52ac252287f3b65932054857f7c26a7

SHA1
940b62eae6fb008d6f15dfb7aaf6fb125dba1fec

SHA256
4c06e93049378bf0cdbbe5d3a1d0c302ac2d35faec13623ad812ee41495a2a57

SHA512
c08ff9d988aea4c318647c79ae8ca9413b6f226f0efbdab1cdd55ec04b6760812716ff27e0ee86941e8a654d39cddd56251d8392a0ac2c4c8839f27853556154

Download Submit
C:\Users\Admin\AppData\Local\Temp\syz.reg

Filesize
142B

MD5
3dcb2970364dd1aed8afdc22ad23f744

SHA1
dabe890160afa696ce867aa7a2a7c0bd31e04189

SHA256
3e12da1b732e8274f4818df57ca0423b395fb70cbf4c4e3a82141171ac1433a6

SHA512
066d6c3e02dc5b913678e5c4f1ed5b3960def50e679b2d4ea87961d8b8ceaf14f924ee77b293d08ef1c97afbeee32f4fd16688fd638809b668c734ba9b25b385

Download Submit
memory/2920-43-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-45-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2920-10-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-38-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-39-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-40-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-41-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2920-42-0x0000000003BF0000-0x0000000003C00000-memory.dmp

Filesize
64KB

Download
memory/2920-1-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-44-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-5-0x0000000003BF0000-0x0000000003C00000-memory.dmp

Filesize
64KB

Download
memory/2920-46-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-47-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-48-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-49-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-2-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-0-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-57-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-58-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-59-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-60-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2920-61-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads