3a873d9a989c5273d80ee4872cd297b67130f920a61ee29807dd83b78a695369

General

Target

updater.exe
Size

403KB
MD5

bcc3ac517a3b3b10c8f05686930af54d
SHA1

2626ce3b2a8d9916c6e836a06ee6ec8dd73466d5
SHA256

a32bd3681eea3853c1c86d19f1825891e9a38f06beeadc1053da9a6528d490da
SHA512

83b5435edf26eaf8de431b38ab4ada2d134a71c0b902958a1fd10c972e00db45b55c37a7f04026c295ad532949692d9b8d305ee1a474d1eb50dda6c40793743e
SSDEEP

12288:EVfYHN3FPGcgtn/WnGxGu7LM7JmgNFxovmAx0iqTe:cml0Rx/nxYboF0iqTe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	updater.exe

Executes dropped EXE 1 IoCs

pid	Process
752	AetherEye.exe

Loads dropped DLL 2 IoCs

pid	Process
752	AetherEye.exe
752	AetherEye.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2620	752	WerFault.exe	88
800	752	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe
752	AetherEye.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	updater.exe
Token: SeDebugPrivilege	752	AetherEye.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 752	4572	updater.exe	88
PID 4572 wrote to memory of 752	4572	updater.exe	88
PID 4572 wrote to memory of 752	4572	updater.exe	88

C:\Users\Admin\AppData\Local\Temp\updater.exe
"C:\Users\Admin\AppData\Local\Temp\updater.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\AetherEye.exe
  "C:\Users\Admin\AppData\Local\Temp\AetherEye.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 1340
    3⤵
    - Program crash
    PID:2620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 1340
    3⤵
    - Program crash
    PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 752 -ip 752
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 752 -ip 752
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AetherEye.exe

Filesize
49.5MB

MD5
e2fc811079c8e2649c4318889eb56acb

SHA1
773f4dd8de8de39f561b6ab36ecbefb1b2ed5a36

SHA256
22e7389928dc9eb667d631cabd47a829fdcc754dd8a2c00d48aa32fb44de3f3b

SHA512
76889142669c00c3537654f030d41f66135136690a615ccede01adf3f85524832ff61ad7bc8a8d17acb562d121a19017c867c79eea2e670e5b3b8153d2f5dc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiscordRPC.dll

Filesize
82KB

MD5
3956130e36754f184a0443c850f708f8

SHA1
4874cd51b0fa5652ed84e3b0c123bee05dcdffc8

SHA256
25c39f91f737d80040c72c9e3f95db0fece1c9653f501828adc16cfb1ec59d26

SHA512
157143dd69378e9914ddbb934229cfbc99ae7d80f4f787b7799fc254054d2c7b1e6f4551cddea30470e28b61309f858fcdb2d009b1c32953dfe5ea7fe78e9e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
118B

MD5
b97045084cd2d1b66647eb380583f05f

SHA1
22b71f9168502279f3e7c6486bf1626c1d0fdbd5

SHA256
32f8e6f59328ff2a3d398e39df1dd193b7f251372c9e261f0b18af4f88600ee8

SHA512
8fc2b655acc6a8e52211ab948f6877e21807346a73b4e5c5b5906b718c6aa4a93d8971f9c43ae3beb99833806f2392624f3530482ac69dd841cb3fabd0332c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
117B

MD5
7cb0f541ef86dd9446924183a12baed9

SHA1
8aac7cd7d862f956d6dcb6893c73fd69ea543f19

SHA256
7088f3e9cf86fcd1670b3e8ff02ea449f06865927919c4a8d0a2f0e5cd32960c

SHA512
931fc5478549bd9ac6c8412ead72fcd23c0bc7a544c047c45f35e83ddcf88b3bb9d4f560145e0b47c8e7b56be2dc9ce96b9246abd8ebc599c9d1236ec1790db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
118B

MD5
d4a69d8cc2dc731896ec4b61564c0b3a

SHA1
a110aa88bd332af2687c08a34c7d044e7b93720e

SHA256
0426de20ccf077d1ac428c5d64b3ddb50d12d7b2a0eaa48486d809017f65106b

SHA512
874300b8b820d132f36c3ae842b81477b1ef9c6c77538e8becf0a2c397b1ab2b3f8a68183ffd4b0b9aaa991075ee9f569346911a5d33af0e5aa15d59f1c75826

Download Submit
memory/752-25-0x000000000C990000-0x000000000CF34000-memory.dmp

Filesize
5.6MB

Download
memory/752-29-0x000000000D140000-0x000000000D340000-memory.dmp

Filesize
2.0MB

Download
memory/752-60-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/752-20-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/752-46-0x0000000017180000-0x000000001719A000-memory.dmp

Filesize
104KB

Download
memory/752-23-0x0000000000480000-0x0000000001480000-memory.dmp

Filesize
16.0MB

Download
memory/752-24-0x0000000009970000-0x0000000009971000-memory.dmp

Filesize
4KB

Download
memory/752-42-0x0000000017140000-0x000000001715A000-memory.dmp

Filesize
104KB

Download
memory/752-26-0x000000000C480000-0x000000000C512000-memory.dmp

Filesize
584KB

Download
memory/752-27-0x000000000C0E0000-0x000000000C0EA000-memory.dmp

Filesize
40KB

Download
memory/752-28-0x000000000C610000-0x000000000C666000-memory.dmp

Filesize
344KB

Download
memory/752-41-0x0000000010580000-0x0000000010592000-memory.dmp

Filesize
72KB

Download
memory/752-30-0x0000000013C00000-0x0000000015CB0000-memory.dmp

Filesize
32.7MB

Download
memory/4572-4-0x0000000004EC0000-0x0000000004F5C000-memory.dmp

Filesize
624KB

Download
memory/4572-3-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4572-6-0x0000000005EB0000-0x00000000063DC000-memory.dmp

Filesize
5.2MB

Download
memory/4572-0-0x000000007506E000-0x000000007506F000-memory.dmp

Filesize
4KB

Download
memory/4572-22-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4572-2-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/4572-1-0x0000000000180000-0x0000000000224000-memory.dmp

Filesize
656KB

Download
memory/4572-5-0x0000000005130000-0x00000000052F2000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing