4163bd79ef89a5aaeef30890b68854f09331e32c75db7f47544382b62aad185e

Analysis

max time kernel
39s
max time network
28s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dmd-2.109.1.exe
Size

31.1MB
MD5

268731d15b935cb5c46973ea98b9e7d2
SHA1

39fccb3315636e90e97c76f3e9cb24e82f40d855
SHA256

4163bd79ef89a5aaeef30890b68854f09331e32c75db7f47544382b62aad185e
SHA512

a3b1c02b02a0b4c80b3f022aedeb80bc0c5670484dd7e9dc3d4fbb45079aa43c34e019bad56c3baf2769b16591dc6914d43231e68888e4b92489bd0cba5a3a1b
SSDEEP

786432:OquNsmFkLEva1eo7Gt5wJNZyGLtiOE3lMD/yb:teFfa1e/bgNZysvqq/g

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2776	dmd-2.109.1.exe
2776	dmd-2.109.1.exe
2776	dmd-2.109.1.exe
2776	dmd-2.109.1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmd-2.109.1.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	dmd-2.109.1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	dmd-2.109.1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	864	AUDIODG.EXE
Token: 33	864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	864	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\dmd-2.109.1.exe
"C:\Users\Admin\AppData\Local\Temp\dmd-2.109.1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2776

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2548

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nseC380.tmp\ioSpecial.ini

Filesize
1KB

MD5
a3dbca3f9ea378682ab14be16a008081

SHA1
4dada69f74478677c502ba128e18747be1c75124

SHA256
6dec3383d6b1ec8affe5bc6e5e4da05e014a7b1b6687d0083594f27e1d21d480

SHA512
7f6d53cf5dec50982da48eb0882980b6d0dcdfc0636f98df403706abe57291b7e28b356e9b1ec28f711485cc984e4531b72ec36877c76473907d2ca751325976

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC380.tmp\ioSpecial.ini

Filesize
1KB

MD5
8051373410ede4f33baaad5b99f244d4

SHA1
c463ac836dafda62bf60870045f4cb654777a912

SHA256
16a9184fd057c9f33f5eb4fcc46e34d197f030342dd4d8a98f854bd73a91c3c7

SHA512
7f5b91d3c1f58489598b1c274a83f3d6840ba88be2cd338fd835457b4e877d0708d353e6df3183155a4743a2e83792ab3aceae1860e816a031f1f0a6def42502

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC380.tmp\vcinstall.ini

Filesize
2KB

MD5
8fd5542fc17e23de1bc60635c63ce8af

SHA1
92876db078bdcd4117656aaadbea934665e44682

SHA256
4535a066b050c8c206e23b5e1f8d5b8dcbedb15a3b7ce60a2287e426d622e049

SHA512
6eb5734ff5026ef9a35afa419b0ef467d9d3d1380ea55b3cad4472d5d47a9387fa61dc9226dd1fee22e385aee34ece6e1f60f1eeed108c6cdc0018e0a7e1d7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC380.tmp\vcinstall.ini

Filesize
2KB

MD5
a231e732ca644d03f3b488bf2542acc4

SHA1
847ba5b1d960783efcb30ec64cd19563f4d19a0b

SHA256
ec9bec7c9b0a38bc6cef133faf809c55af596903067175d8b21207a6083e604d

SHA512
1dbf6106b68063f279ce834d026efeaad551391389693f72ffde610524b30593667329e4fd53c1e256ff838badf19979137a687f0437b6160b778aaa555a2adc

Download Submit
\Users\Admin\AppData\Local\Temp\nseC380.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nseC380.tmp\InstallOptions.dll

Filesize
15KB

MD5
09d8971beefefffd710030dd167a99e0

SHA1
a0117786ad77213f3eb48cfdc3819786cb796b7d

SHA256
caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95

SHA512
3956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0

Download Submit
\Users\Admin\AppData\Local\Temp\nseC380.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit