06d41bcbecdc3c9521f4ca322bb44628dd3009f18465e1ddcb96976337d118c3

General

Target

HA_UltraAudioRipper-v2.0.2008.401/HA_UltraAudioRipper-2_CZ.exe
Size

5.4MB
MD5

2399386046aa791dea77153ecd81bf46
SHA1

bbcd13d1cf9608358b09b67031b8b2faf6a10330
SHA256

b2be2b6d673b8eef56a06da3009b327bee612380a8c27daeed61b071114c4733
SHA512

bc2bf259096760f8f9f80a8aa9aa39fe84f1f435eb8e892667198442f1c9b20283394d5985ed48d2135a9bef97390683a0f024adadb20f611a340c49058369d3
SSDEEP

98304:nndX4cyda/Pj22gtbKxzVWROhi9QGSCoJxQA5cO2yI1pWwBk8b3GllC2gtSO0/tl:n2sgtbyxmUi9PEJCAiOY1l68jGlX8SOm

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
1864	HA_UltraAudioRipper-2_CZ.exe
1864	HA_UltraAudioRipper-2_CZ.exe
1864	HA_UltraAudioRipper-2_CZ.exe
1864	HA_UltraAudioRipper-2_CZ.exe
1864	HA_UltraAudioRipper-2_CZ.exe
1864	HA_UltraAudioRipper-2_CZ.exe
1864	HA_UltraAudioRipper-2_CZ.exe
1864	HA_UltraAudioRipper-2_CZ.exe
1864	HA_UltraAudioRipper-2_CZ.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bassmod.dll	HA_UltraAudioRipper-2_CZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HA_UltraAudioRipper-2_CZ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1864	HA_UltraAudioRipper-2_CZ.exe
1864	HA_UltraAudioRipper-2_CZ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3352	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3352	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\HA_UltraAudioRipper-v2.0.2008.401\HA_UltraAudioRipper-2_CZ.exe
"C:\Users\Admin\AppData\Local\Temp\HA_UltraAudioRipper-v2.0.2008.401\HA_UltraAudioRipper-2_CZ.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ac 0x2b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NSISUtils\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSISUtils\nsisutils.dll

Filesize
4KB

MD5
03a477dd69bd11877e2ac1953947c400

SHA1
e33881e8203674cc94bc9fcbde3e1f65ed4be5c7

SHA256
03c50276af73bb72b533f8936a57bbabe41e3b7d5e24cf60eb32f3b9df2cdd61

SHA512
c8d657199b7c2e2d3c9d76897426b1b9f227bd9d341481f059ab1ae6d79514e94620ec6434e32a6a07095350c90a80bfa46384cef12e309ba6f661d2ddac81af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBBB1.tmp\bassmod.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBBB1.tmp\brandingurl.dll

Filesize
3KB

MD5
9c3488b5e9655d1837c3963ecec33f70

SHA1
f0fa9b4c29e75c6e4419c4633d09f2797aee2ef3

SHA256
05ef4beb7fab9d04c1fb251874166fa2d73a34b4a7f2b145d37a2fd00c88979a

SHA512
6af9f88d65d2279a71620f2a656062b1737b3a9a1692ed4e5887bdee891ce08d21c5c0b25ab3acbe6da9fe255dcd7f8a517c2751e73dc56add216740c945e4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBBB1.tmp\installoptions.dll

Filesize
14KB

MD5
f7730497c40fed85e359d0a1088d0943

SHA1
bfe1d8bf1fd9738065d1bf66eca3b16ce545ec67

SHA256
b1726a5f01938db8acc46c12e4d1950dfffc7776d39c8da5ba372a6bdc0d4eab

SHA512
23fdeb65ab8c7edd114ea5beaae24c062c8a0df1ac22d16400c2973e903f8658f1356e71d64e06a0126acb8b01003b74e2d88c1f480fd00fed153f03633a2d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBBB1.tmp\ioSpecial.ini

Filesize
937B

MD5
4b8629d8cf90832edfc51d964caadf1a

SHA1
ad2bd8ab470dd52063f5370dba9a7b9c72dcc96e

SHA256
b4aff5ba2b0eba7c55496a7534a1da0171b8e5e3a9e9143354563829f3861c0a

SHA512
58f4a4ef58d1290463f1cb7b2af5a14b6343865a07916de7d86f176f0374169d740a00d108e07f48a4ca7b088cc9a672faa6dc984ba26fecc3197ded1d5cec2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBBB1.tmp\system.dll

Filesize
9KB

MD5
d9a8780c74619a5d6d31415d56762181

SHA1
2122b7b5f859681b01cc97dc32ea93d3c5b65a5d

SHA256
e8b36ebe7661e9a54d1d167678c46c4c82dc6bd666bf561f03d73bef8307fe62

SHA512
6ec9bb514c52a3a6ba4188ad81f23222f4a7c43f432d8d4ac23ef6d4b0427f268e783a02a5a3b0f1efebff785fc4a391c708080994ce65a234db1b25c31aa4e9

Download Submit
memory/1864-132-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-140-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-17-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-129-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1864-130-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-0-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1864-134-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-136-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-138-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-19-0x00000000068C2000-0x00000000068C3000-memory.dmp

Filesize
4KB

Download
memory/1864-142-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-144-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-146-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-148-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-150-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-152-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-154-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-156-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download
memory/1864-158-0x00000000068B0000-0x00000000068C3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing