Resubmissions
07-05-2024 12:30
240507-ppmaqafg4w 1007-05-2024 12:30
240507-pplzysfg4v 1007-05-2024 12:30
240507-ppldesad49 1007-05-2024 12:30
240507-ppkrwsad48 1007-05-2024 12:30
240507-pphmjaad45 1025-04-2024 12:58
240425-p7n72aba35 10Analysis
-
max time kernel
299s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25-04-2024 12:58
Static task
static1
Behavioral task
behavioral1
Sample
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
Resource
win7-20240220-en
Behavioral task
behavioral3
Sample
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
Resource
win11-20240412-en
General
-
Target
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
-
Size
96KB
-
MD5
131962bf60ac02f759cf2f57808eaee9
-
SHA1
2636de442f3fc52c0a9640875b74ff9d236a359d
-
SHA256
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3
-
SHA512
ee787f0e2ae36c3ed046489be23a0335a325b3a9f38121c6ecd3e1c7d166abbc6779effc13451b01f6838eaa4e299445bc25b1b524110667580bcfbe824a9836
-
SSDEEP
1536:wB3XC0TP7sRav52HE9jMeR3MnQqrMVMnxb/n6cgNwf5mfF9zz51zpJ7Hx1eqkyF0:wBa01YbOfF9b7R1eqkDF
Malware Config
Signatures
-
Processes:
audiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" audiodg.exe -
Executes dropped EXE 1 IoCs
Processes:
audiodg.exepid process 4668 audiodg.exe -
Processes:
audiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" audiodg.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Audio Device Graph Isolation = "C:\\11222262127430\\audiodg.exe" 6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Audio Device Graph Isolation = "C:\\11222262127430\\audiodg.exe" 6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exedescription pid process target process PID 3336 wrote to memory of 4668 3336 6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe audiodg.exe PID 3336 wrote to memory of 4668 3336 6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe audiodg.exe PID 3336 wrote to memory of 4668 3336 6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe audiodg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe"C:\Users\Admin\AppData\Local\Temp\6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\11222262127430\audiodg.exeC:\11222262127430\audiodg.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:4668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5131962bf60ac02f759cf2f57808eaee9
SHA12636de442f3fc52c0a9640875b74ff9d236a359d
SHA2566dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3
SHA512ee787f0e2ae36c3ed046489be23a0335a325b3a9f38121c6ecd3e1c7d166abbc6779effc13451b01f6838eaa4e299445bc25b1b524110667580bcfbe824a9836