9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa

General

Target

9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Size

222KB
MD5

9e1ec0ca9b461128a5c0f043edc9c003
SHA1

0795139ad49e433c8e326a1741328505301759e9
SHA256

9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa
SHA512

d7dac235f3d8defc96480463f0d2d2566067d81ca27e92089c583ccf96cc36caeb55d5d0630dc423ed6770cb6847ec6635692b3426e9417a96e1197a316dca42
SSDEEP

6144:C9npsuf052Nxy/f6E8MAUlKCEcg33wH9DnEPAFeEx:C9nSu0bWcdxn

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/932-0-0x0000000000400000-0x0000000000439000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\Microsoft\bin\lsass32.exe	UPX
behavioral2/memory/1920-51-0x0000000000400000-0x0000000000439000-memory.dmp	UPX
behavioral2/memory/932-54-0x0000000000400000-0x0000000000439000-memory.dmp	UPX
behavioral2/memory/2728-55-0x0000000000400000-0x0000000000439000-memory.dmp	UPX
behavioral2/memory/1920-61-0x0000000000400000-0x0000000000439000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe

Executes dropped EXE 2 IoCs

Processes:

lsass32.exelsass32.exe

pid process

1920 lsass32.exe
2728 lsass32.exe

pid	process
1920	lsass32.exe
2728	lsass32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/932-0-0x0000000000400000-0x0000000000439000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Microsoft\bin\lsass32.exe	upx
behavioral2/memory/1920-51-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/932-54-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2728-55-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/1920-61-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

Processes:

9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\shell\open	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bin\\lsass32.exe\" /START \"%1\" %*"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open\command	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\DefaultIcon	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\shell\open\command\IsolatedCommand = "\"%1\" %*"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\shell\runas	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\shell\runas\command\IsolatedCommand = "\"%1\" %*"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\ = "lnkexp"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bin\\lsass32.exe\" /START \"%1\" %*"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\Content-Type = "application/x-msdownload"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas\command	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\Content-Type = "application/x-msdownload"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\DefaultIcon\ = "%1"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\shell\open\command	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\DefaultIcon\ = "%1"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\shell\runas\command\ = "\"%1\" %*"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\ = "Application"	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\shell\runas\command	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\DefaultIcon	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkexp\shell	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

lsass32.exeAUDIODG.EXE

description pid process

Token: SeIncBasePriorityPrivilege 1920 lsass32.exe
Token: 33 1912 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1912 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lsass32.exe

pid process

1920 lsass32.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1920	lsass32.exe
Token: 33	1912	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1912	AUDIODG.EXE

pid	process
1920	lsass32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exelsass32.exe

description	pid	process	target process
PID 932 wrote to memory of 1920	932	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe	lsass32.exe
PID 932 wrote to memory of 1920	932	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe	lsass32.exe
PID 932 wrote to memory of 1920	932	9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe	lsass32.exe
PID 1920 wrote to memory of 2728	1920	lsass32.exe	lsass32.exe
PID 1920 wrote to memory of 2728	1920	lsass32.exe	lsass32.exe
PID 1920 wrote to memory of 2728	1920	lsass32.exe	lsass32.exe

C:\Users\Admin\AppData\Local\Temp\9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
"C:\Users\Admin\AppData\Local\Temp\9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Roaming\Microsoft\bin\lsass32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\bin\lsass32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\bin\lsass32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Roaming\Microsoft\bin\lsass32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\bin\lsass32.exe"
3⤵
- Executes dropped EXE
PID:2728

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\bin\lsass32.exe

Filesize
222KB

MD5
9ace4af67f515fc26b093f75cf1ee017

SHA1
84f85940630313da4bf9ae93906f238f39333780

SHA256
bc8395db922487983996c23e280e264e1d33a860ceeda5a7533622d0353228e1

SHA512
65972d41318e9ef1e77fa4a045332218be26ad080a656d7766f60bdc964c5de54986753b0f6ed67278fad5e1d0084b005137cd45cc6193df9cc813adc8b2fd78

Download Submit
memory/932-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/932-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-51-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2728-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads