Resubmissions
07-05-2024 12:06
240507-n9pqxahf66 1007-05-2024 12:05
240507-n9masafa6v 1007-05-2024 12:05
240507-n9lz1sfa6t 1007-05-2024 12:05
240507-n9ewpsfa5v 1007-05-2024 12:05
240507-n9dnmshf57 1025-04-2024 13:00
240425-p8x7bsba47 10Analysis
-
max time kernel
299s -
max time network
299s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 12:05
Static task
static1
Behavioral task
behavioral1
Sample
63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe
Resource
win11-20240419-en
General
-
Target
63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe
-
Size
356KB
-
MD5
6ffbff0cb624b4965fbea168ec43aea8
-
SHA1
5be9a3b2238e13e0fa17ada96e4bb53a5b58fd81
-
SHA256
63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d
-
SHA512
edbcb9de0b4ff80da0debb6c0d8be7198efac3ba5534997396f4461a4b43dd897e09f126e68fe928e7c5f48446583c7ebce7757f4dd72f9bdb19a5e7934a04c0
-
SSDEEP
6144:LXj4tVpmiFWkppKTXD6x/xai9VJrU+aUh5Px9YKRTw6pPZtM/FSpECb:LXj4tyxMuT6jp9Vvh5PPdZM/0GCb
Malware Config
Signatures
-
Processes:
audiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" audiodg.exe -
Executes dropped EXE 1 IoCs
Processes:
audiodg.exepid process 2596 audiodg.exe -
Loads dropped DLL 1 IoCs
Processes:
63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exepid process 2172 63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe -
Processes:
audiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" audiodg.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Audio Device Graph Isolation = "C:\\20633196424877\\audiodg.exe" 63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Audio Device Graph Isolation = "C:\\20633196424877\\audiodg.exe" 63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exedescription pid process target process PID 2172 wrote to memory of 2596 2172 63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe audiodg.exe PID 2172 wrote to memory of 2596 2172 63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe audiodg.exe PID 2172 wrote to memory of 2596 2172 63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe audiodg.exe PID 2172 wrote to memory of 2596 2172 63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe audiodg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe"C:\Users\Admin\AppData\Local\Temp\63b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\20633196424877\audiodg.exeC:\20633196424877\audiodg.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356KB
MD56ffbff0cb624b4965fbea168ec43aea8
SHA15be9a3b2238e13e0fa17ada96e4bb53a5b58fd81
SHA25663b087a9fa01c00b9f07712fa4c46e461245d5364606dd9dc10130d93415bd6d
SHA512edbcb9de0b4ff80da0debb6c0d8be7198efac3ba5534997396f4461a4b43dd897e09f126e68fe928e7c5f48446583c7ebce7757f4dd72f9bdb19a5e7934a04c0