Resubmissions
07-05-2024 12:30
240507-ppmaqafg4w 1007-05-2024 12:30
240507-pplzysfg4v 1007-05-2024 12:30
240507-ppldesad49 1007-05-2024 12:30
240507-ppkrwsad48 1007-05-2024 12:30
240507-pphmjaad45 1025-04-2024 12:58
240425-p7n72aba35 10Analysis
-
max time kernel
599s -
max time network
458s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 12:30
Static task
static1
Behavioral task
behavioral1
Sample
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
Resource
win7-20231129-en
Behavioral task
behavioral3
Sample
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
Resource
win11-20240426-en
General
-
Target
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe
-
Size
96KB
-
MD5
131962bf60ac02f759cf2f57808eaee9
-
SHA1
2636de442f3fc52c0a9640875b74ff9d236a359d
-
SHA256
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3
-
SHA512
ee787f0e2ae36c3ed046489be23a0335a325b3a9f38121c6ecd3e1c7d166abbc6779effc13451b01f6838eaa4e299445bc25b1b524110667580bcfbe824a9836
-
SSDEEP
1536:wB3XC0TP7sRav52HE9jMeR3MnQqrMVMnxb/n6cgNwf5mfF9zz51zpJ7Hx1eqkyF0:wBa01YbOfF9b7R1eqkDF
Malware Config
Signatures
-
Processes:
audiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" audiodg.exe -
Executes dropped EXE 1 IoCs
Processes:
audiodg.exepid process 5248 audiodg.exe -
Processes:
audiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" audiodg.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Audio Device Graph Isolation = "C:\\32991782916877\\audiodg.exe" 6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Audio Device Graph Isolation = "C:\\32991782916877\\audiodg.exe" 6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exedescription pid process target process PID 4572 wrote to memory of 5248 4572 6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe audiodg.exe PID 4572 wrote to memory of 5248 4572 6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe audiodg.exe PID 4572 wrote to memory of 5248 4572 6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe audiodg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe"C:\Users\Admin\AppData\Local\Temp\6dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\32991782916877\audiodg.exeC:\32991782916877\audiodg.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:5248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5131962bf60ac02f759cf2f57808eaee9
SHA12636de442f3fc52c0a9640875b74ff9d236a359d
SHA2566dfdfb7f2716f3e3f684e1b8c92431563e3f65d2c64df24d6dda1c8bc6a198a3
SHA512ee787f0e2ae36c3ed046489be23a0335a325b3a9f38121c6ecd3e1c7d166abbc6779effc13451b01f6838eaa4e299445bc25b1b524110667580bcfbe824a9836