09f47991335c1a8c80c9e58e7bdd16f5de70d1418392317c8bb3caa76edce5cb

General

Target

c24a07f5b692b56145555f84f2a883dd.exe
Size

864KB
MD5

c24a07f5b692b56145555f84f2a883dd
SHA1

2398679916138931a18b405c623784e00f5392a7
SHA256

09f47991335c1a8c80c9e58e7bdd16f5de70d1418392317c8bb3caa76edce5cb
SHA512

9e9d3b812d9dbe5a0c9101f2d01b63b56dda9ce2ecd323c8b48af884acf6bcf0efb9c4352ac2a86647ca18e5ff9e9508d156395e6bc4d15a32519d2259e4f7f9
SSDEEP

24576:aBDGQJOzYRq/lpF8c7wEeDbLnpMLxJJ+0C:23uYRc9QD/pixn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3028	c24a07f5b692b56145555f84f2a883dd.exe

Loads dropped DLL 3 IoCs

pid	Process
1276	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus2008y = "C:\\Program Files (x86)\\Antivirus2008y\\c24a07f5b692b56145555f84f2a883dd.exe"	c24a07f5b692b56145555f84f2a883dd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Antivirus2008y\c24a07f5b692b56145555f84f2a883dd.exe	c24a07f5b692b56145555f84f2a883dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3028	c24a07f5b692b56145555f84f2a883dd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1484	AUDIODG.EXE
Token: 33	1484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1484	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe
3028	c24a07f5b692b56145555f84f2a883dd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3028	c24a07f5b692b56145555f84f2a883dd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 3028	1276	c24a07f5b692b56145555f84f2a883dd.exe	28
PID 1276 wrote to memory of 3028	1276	c24a07f5b692b56145555f84f2a883dd.exe	28
PID 1276 wrote to memory of 3028	1276	c24a07f5b692b56145555f84f2a883dd.exe	28
PID 1276 wrote to memory of 3028	1276	c24a07f5b692b56145555f84f2a883dd.exe	28

C:\Users\Admin\AppData\Local\Temp\c24a07f5b692b56145555f84f2a883dd.exe
"C:\Users\Admin\AppData\Local\Temp\c24a07f5b692b56145555f84f2a883dd.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Program Files (x86)\Antivirus2008y\c24a07f5b692b56145555f84f2a883dd.exe
  "C:\Program Files (x86)\Antivirus2008y\c24a07f5b692b56145555f84f2a883dd.exe" /d:C:\Users\Admin\AppData\Local\Temp\c24a07f5b692b56145555f84f2a883dd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x7c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Antivirus2008y\c24a07f5b692b56145555f84f2a883dd.exe

Filesize
509KB

MD5
5d96e06c6206d4603c6d2faddf6a74bb

SHA1
df7bd9c2c067bd20df87fcdb55350521031d544f

SHA256
f33ae77f9de21b9255d27e3fedba3096ef9f60a631c298149cb43e969f22c6d1

SHA512
84e620204438c8bbbe71708034c7cb7ff4da5e0717d192b2af5e8ee62bb9478e03668de38fa36fd3b54d608b386c80ee934f3efc440928693cb0e8e3f176ef17

Download Submit
C:\Program Files (x86)\Antivirus2008y\c24a07f5b692b56145555f84f2a883dd.exe

Filesize
849KB

MD5
1cce61fa4775cf2bd1cd6ec21e66c81d

SHA1
dd0ba7ae2c11996f21bd86a9a20e1ca6b4546c6e

SHA256
b33750983c20d404a7344f015f526f5db644d095d467135e7ca70c088b748f46

SHA512
942fa0fb58fc556c4f3a60bf2c3e09c4e87a9c7f6c6b9821b340195e7d29d0926c2d1426a7f0e8428029c721faa344c29683944beeac82a118d386f9237c4330

Download Submit
C:\Program Files (x86)\Antivirus2008y\c24a07f5b692b56145555f84f2a883dd.exe

Filesize
864KB

MD5
c24a07f5b692b56145555f84f2a883dd

SHA1
2398679916138931a18b405c623784e00f5392a7

SHA256
09f47991335c1a8c80c9e58e7bdd16f5de70d1418392317c8bb3caa76edce5cb

SHA512
9e9d3b812d9dbe5a0c9101f2d01b63b56dda9ce2ecd323c8b48af884acf6bcf0efb9c4352ac2a86647ca18e5ff9e9508d156395e6bc4d15a32519d2259e4f7f9

Download Submit
\Program Files (x86)\Antivirus2008y\c24a07f5b692b56145555f84f2a883dd.exe

Filesize
632KB

MD5
6cf082fde03c158adf6113532e642c78

SHA1
4ac0ce78d850587601510c02406932025ab9a249

SHA256
f6eb35a26a06d167be08e39c67f813d99950c7969cc5552ae1c9d49e299f39b2

SHA512
1e9e39f872c4d8448a417865c0a06a6107c089f0b182a33a82e6437b7c1b5e3f4740f0cbb8474e17fa861820bc55ba6478d513a9a9516cf636f8be80826dad11

Download Submit
memory/1276-1-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/1276-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1276-3-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/1276-2-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/1276-12-0x0000000004230000-0x0000000004557000-memory.dmp

Filesize
3.2MB

Download
memory/1276-0-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/1276-14-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-26-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-32-0x0000000004400000-0x0000000004410000-memory.dmp

Filesize
64KB

Download
memory/3028-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3028-18-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-15-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-24-0x0000000004400000-0x0000000004410000-memory.dmp

Filesize
64KB

Download
memory/3028-25-0x0000000004400000-0x0000000004410000-memory.dmp

Filesize
64KB

Download
memory/3028-13-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-27-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-28-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-30-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3028-29-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-31-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-16-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-33-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-35-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-36-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-37-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-38-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-39-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-40-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-41-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-42-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-43-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-44-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/3028-45-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads