b1210522244d9786ca8b3cca3611d47e2f9c2a7f4e0c6dc1c6902ca72e60afcf

General

Target

dyrochku.exe
Size

508KB
MD5

373ae1aa06abbe6d6ef4c47fda97e92b
SHA1

8fa3250e8f10813f75adf926918937affe45810e
SHA256

b1210522244d9786ca8b3cca3611d47e2f9c2a7f4e0c6dc1c6902ca72e60afcf
SHA512

b17ac076a07a8cbee06680e7f134a4358decd45498b8219ab85e9c794e0aad3feb0759ae679cf2a93362ea72b35313c9ed6ed590cab67d896e4c51f565d5b436
SSDEEP

12288:wzxzTDWikLSb4NS78Pzo8O7XgsyHElKkagNW45PGwOUhBHZ:mDWHSb4NRbobEsdKBoTrZ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	dyrochku.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2636	WScript.exe
Token: SeCreatePagefilePrivilege	2636	WScript.exe
Token: 33	4612	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4612	AUDIODG.EXE
Token: SeShutdownPrivilege	2636	WScript.exe
Token: SeCreatePagefilePrivilege	2636	WScript.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 2636	596	dyrochku.exe	74
PID 596 wrote to memory of 2636	596	dyrochku.exe	74
PID 596 wrote to memory of 2636	596	dyrochku.exe	74

C:\Users\Admin\AppData\Local\Temp\dyrochku.exe
"C:\Users\Admin\AppData\Local\Temp\dyrochku.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:2636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
4d4c9adda701ceb605d00b3774af9e41

SHA1
a7deabbd9cefd0b19adf52a1c6edbb95a38e5bf0

SHA256
aa06ef9b268c34d456b44ff35b48f933d26beccae3dd5a09813b3f87899298b1

SHA512
0b5ba363d5d72c5dd63685e0034d489c0b6da6c22725a1fbae564935e6dd5b9db49ac1ed318a9e6d85509e2a9b17db0ed2e74bcd0e399cb18370c7296501020a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

Filesize
234B

MD5
448d64b7e2c09496500e077a00882dc6

SHA1
4796fb338dc81d16606ed76f63075b4fef8e051d

SHA256
b894b20027e433c8abe00659b972519d2e4166206de2cbc74cf41567581a099d

SHA512
c2160b4317670acea1cc9b5ba4a447ca1f95370eb119aa2299e2d3dad13d0aee1fd55ee4695b2883f2ce00339db88ec80cb0f104fb9fda8811bb3bd29afc25f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pod.mp3

Filesize
191KB

MD5
3236d81e37a573d3c969a67a0f0c97eb

SHA1
236c0f29f6f67147bd8c9d6767ef35bafe34df96

SHA256
05c8411329bb5be630da614866ffe68d11f0ccfb69b8e4593593f8eaca809e76

SHA512
84b3c55d179580aa404ee5b56eace400575bc5a28ef44da19d490b9a105e8b2d227bd1a0feb6fe9785950fc5752674217c528cf70a1ad3cece5c7a6d1c8ec1e2

Download Submit
memory/2636-20-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/2636-21-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/2636-22-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/2636-23-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/2636-24-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/2636-25-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/2636-40-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing