2132faa1b6fff1d8a8a51a64b463d95f2ec0b244d66aad8abb44776f40bd0fc6

General

Target

(x64bit.)_patch.exe
Size

839KB
MD5

f8b1eabcbc118609bb2260031829f87f
SHA1

62970ae57302ae52f1291a9c728a6a81ffa2ec73
SHA256

2132faa1b6fff1d8a8a51a64b463d95f2ec0b244d66aad8abb44776f40bd0fc6
SHA512

18296e7748c964b823fbacc5ffe3f1debc7d946855040810d73e649e653cb13f8590a83375b9bce0e4966148e5abf096b1a5472a10fac31d97f62beda71ccc29
SSDEEP

24576:nprTzqF5dnTVW3hr7ALun+zO9Biek/uaOkjrlHOmnve:Ra5IF7P+zO9B9k/uarpHjm

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\HOST.cmd	(x64bit.)_patch.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\drivers\etc\HOST.cmd	(x64bit.)_patch.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	(x64bit.)_patch.exe

Loads dropped DLL 2 IoCs

pid	Process
5076	(x64bit.)_patch.exe
5076	(x64bit.)_patch.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\killproces.bat	(x64bit.)_patch.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\killproces.bat	(x64bit.)_patch.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.dll	(x64bit.)_patch.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrodistdll.dll	(x64bit.)_patch.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrotray.exe	(x64bit.)_patch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(x64bit.)_patch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2248	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1112	regedit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1660	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1660	AUDIODG.EXE
Token: SeDebugPrivilege	2248	taskkill.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 1076	5076	(x64bit.)_patch.exe	97
PID 5076 wrote to memory of 1076	5076	(x64bit.)_patch.exe	97
PID 5076 wrote to memory of 1076	5076	(x64bit.)_patch.exe	97
PID 1076 wrote to memory of 2248	1076	cmd.exe	99
PID 1076 wrote to memory of 2248	1076	cmd.exe	99
PID 1076 wrote to memory of 2248	1076	cmd.exe	99
PID 5076 wrote to memory of 1112	5076	(x64bit.)_patch.exe	100
PID 5076 wrote to memory of 1112	5076	(x64bit.)_patch.exe	100
PID 5076 wrote to memory of 4404	5076	(x64bit.)_patch.exe	101
PID 5076 wrote to memory of 4404	5076	(x64bit.)_patch.exe	101
PID 5076 wrote to memory of 4404	5076	(x64bit.)_patch.exe	101
PID 4404 wrote to memory of 1132	4404	cmd.exe	103
PID 4404 wrote to memory of 1132	4404	cmd.exe	103
PID 4404 wrote to memory of 1132	4404	cmd.exe	103
PID 4404 wrote to memory of 5080	4404	cmd.exe	104
PID 4404 wrote to memory of 5080	4404	cmd.exe	104
PID 4404 wrote to memory of 5080	4404	cmd.exe	104

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1132	attrib.exe
5080	attrib.exe

C:\Users\Admin\AppData\Local\Temp\(x64bit.)_patch.exe
"C:\Users\Admin\AppData\Local\Temp\(x64bit.)_patch.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Program Files\Adobe\Acrobat DC\Acrobat\killproces.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /f /t /im acrotray.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\\regpatch.reg"
  2⤵
  - Runs .reg file with regedit
  PID:1112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Windows\system32\drivers\etc\HOST.cmd"
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r C:\Windows\system32\drivers\etc\hosts
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1132
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r C:\Windows\system32\drivers\etc\hosts
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x474
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Adobe\Acrobat DC\Acrobat\killproces.bat

Filesize
48B

MD5
0395e0bacec066cfa168a85c267a9f06

SHA1
f5857540ccfd514c4eb58355e7e84ae603d01ee2

SHA256
06795f74afb1ed8c4ac870ba773847b21cd01adadfe01a6e8813aea86a9bc0a7

SHA512
472670ba32d4a8d4d8a38d90e66817937e55960249636b2204ec5b11c5005ff8df191354017556cf675026235f52fe263693442d4053dd426b0205fc7731f062

Download Submit
C:\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
9KB

MD5
780d14604d49e3c634200c523def8351

SHA1
e208ef6f421d2260070a9222f1f918f1de0a8eeb

SHA256
844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

SHA512
a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
825KB

MD5
1e4c47cb43d537d50a60592b42345da9

SHA1
0433554c251dc75b8ba4251663aa1a3bce641306

SHA256
6f8650fa49a74fbbabb51f1cced99d11732c177ecb1049ec59ebc79b16daf1ed

SHA512
d6e316cf0a45f479d84ba74917407220ba9421f9edd656835487fb6ccb79f7bbf78a44e885d1f9c440cb5ac4387f3f9b943b505148efc34fd73db22f83b03288

Download Submit
C:\Users\Admin\AppData\Local\Temp\regpatch.reg

Filesize
172B

MD5
acdb9dac1a99ae1f77ab4db4054c760f

SHA1
91cfb22f07f2fafc6eb7fefb8bc1d963259525cd

SHA256
a14d108866b02c8dc9fd2c35385b6588b902677d2b174106524129107542d318

SHA512
b512ab84f107dc6a2e0c514061c831535620537195a6763488b138eb93cf3a1931ea2b3cc11d2e598184c71f79a6833a58bf2c3391d52d89e9527325df954580

Download Submit
C:\Windows\system32\drivers\etc\HOST.cmd

Filesize
766B

MD5
a06544d56f656139b6248d1a34e144e1

SHA1
3f5298683f06acaf88b0bcfbe194de2a2cb7a133

SHA256
9ddda98a7243152e07aea71be30886f6ac8b5d3e219a521defe20f3a22bab0cf

SHA512
c9c3a660ceeefb1f0e71c3bdbdd7ce5856c8fae41dd5a6d6ae6d6b598327135e606373e8911455921d18173aeac88aafaa56e7c1994d85a784afa055089a5f60

Download Submit
memory/5076-2-0x0000000075B60000-0x0000000075C47000-memory.dmp

Filesize
924KB

Download

Analysis

Sharing