bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf

General

Target

bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf.exe
Size

2.4MB
MD5

4eedeafd1414e812536f3113d42a837e
SHA1

832ff960eb94c1006e863bedf2f5918b68dd0cad
SHA256

bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf
SHA512

8d0e0dd98afe8a1b7b606aad64c7087423e12516e0e48a834cafef6cdb7a60cd8586451297b2fba2e172725b1cb8799175828e91afcc7b8f88ad132b72722796
SSDEEP

49152:3p0ZPIG/s0gxkYo1S9JioXmHzpw3v/ZUeHwonEL28G4Zaez+7enTNlGQD7qyOuH1:+PI+s0gxkYo1S9JiS3CoCfvaM+7enTNv

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\Estdlock.sys	ODMHook64.exe
File created	C:\Windows\SysWOW64\Drivers\Estdlock.sys	ODMHook.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\Estdlock.sys	ODMHook.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Estdlock.sys	ODMHook.exe
File opened for modification	C:\Windows\system32\drivers\Estdlock.sys	ODMHook64.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ODMHook.exe

Executes dropped EXE 3 IoCs

pid	Process
4180	ODMGuard.exe
3044	ODMHook.exe
4440	ODMHook64.exe

Loads dropped DLL 3 IoCs

pid	Process
3044	ODMHook.exe
4440	ODMHook64.exe
3596	Process not Found

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ODMGuard.LOG	bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf.exe
File opened for modification	C:\Windows\ODMGuard.LOG	ODMGuard.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ODMGuard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ODMHook.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3044	ODMHook.exe
3044	ODMHook.exe
4440	ODMHook64.exe
4440	ODMHook64.exe
4440	ODMHook64.exe
4440	ODMHook64.exe
4440	ODMHook64.exe
4440	ODMHook64.exe
4440	ODMHook64.exe
4440	ODMHook64.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
4440	ODMHook64.exe
3044	ODMHook.exe
3044	ODMHook.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4440	ODMHook64.exe
Token: SeLoadDriverPrivilege	3044	ODMHook.exe
Token: SeLoadDriverPrivilege	3044	ODMHook.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
408	bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf.exe
4180	ODMGuard.exe
3044	ODMHook.exe
4440	ODMHook64.exe
4440	ODMHook64.exe
4440	ODMHook64.exe
4440	ODMHook64.exe
3044	ODMHook.exe
3044	ODMHook.exe
3044	ODMHook.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4180	408	bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf.exe	92
PID 408 wrote to memory of 4180	408	bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf.exe	92
PID 408 wrote to memory of 4180	408	bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf.exe	92
PID 4180 wrote to memory of 3044	4180	ODMGuard.exe	93
PID 4180 wrote to memory of 3044	4180	ODMGuard.exe	93
PID 4180 wrote to memory of 3044	4180	ODMGuard.exe	93
PID 3044 wrote to memory of 4440	3044	ODMHook.exe	95
PID 3044 wrote to memory of 4440	3044	ODMHook.exe	95

C:\Users\Admin\AppData\Local\Temp\bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf.exe
"C:\Users\Admin\AppData\Local\Temp\bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\ODMGuard.exe
  "C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\ODMGuard.exe" "C:\Users\Admin\AppData\Local\Temp\bc509c68f77d98bbe35be813466c6ffe9fa7235bb7ffba8245c411b7dd1532cf.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\ODMHook.exe
    C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\ODMHook.exe
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\ODMHook64.exe
      "C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\ODMHook64.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: LoadsDriver
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\COCfg.XML

Filesize
18KB

MD5
24cc9929790769df80dbf552f370c30c

SHA1
006bbc2b862844598a7e46b341c71e963358fea8

SHA256
68787b5b3bcc213d992b94932ee94d1957d3ffab4654d75a260490509eaf0a96

SHA512
f1b7d97db915d70254746734dd14d7d47606b8bd3be079cf9eef67d57f6401d5b761d585bf7248a59597432a278bd9a30ee052fb662fa5c775b5a3cd718b52cf

Download Submit
C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\Estdlock.sys

Filesize
82KB

MD5
a294760611d4d46d6ba2bad7162d0547

SHA1
8b4240903e869fd6626e14d842466178e9013d9c

SHA256
71a9ccfeb0835e6fb1f9724d249183a8dd0594e0bdc3c7c9a331ff4de42f622d

SHA512
07b27e2ec1fe664e7ac3b5d2f2d8f7a245522bcd09d7d772e14d1295a124b23d248edbb68c0f7c44ac57ac41e9b393e35e831170868bef453f11f44d720ede46

Download Submit
C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\ODMGuard.exe

Filesize
850KB

MD5
bc3bcd4ad24c0e18f6a6d94f59b92fb4

SHA1
b8d8063189f73a19b0999c39ed211d4ac718455f

SHA256
96941daf81f7f9be4dd0c930ca6bbe497f23a834ca5f45d84e8af9833deb7829

SHA512
00232b7e0e3abfd546ea28080259b1649d058c5f6bf496eb82d386a8d8646a02467f44bdd12e9cf7171d7d36b874e2c189d82e1ee0018dba4ba8e780b738f68a

Download Submit
C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\ODMHook.dll

Filesize
484KB

MD5
1309e105d1f030e8b1d23058180af50d

SHA1
aac638db2dafa675f4a94bab020267f97a9b57e9

SHA256
5d164cca134d421eda340cf478bb58c3846e8737f739d07d4d51c161386c48bd

SHA512
7a41d4a77153aae44ed350cc029f0a7f4ef21ab1b7084aa729f596a8c5103a413b089601fb492203e8161db2871e94a48d4d872944dbc14110a6e576e2ee57a7

Download Submit
C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\ODMHook.exe

Filesize
531KB

MD5
58b84c29ac7ef78f5b740a01fce53b52

SHA1
37044a5c5fc8b5ca00a811477ec12c5ffdc5c4a7

SHA256
632209984afdbde801710b02860b524dc81676e4fde2b42e7648346113a71c2b

SHA512
7938fb477d7e98af7d28d07df4c0ba4e20bbd4d544d3b086550ed5d8db99a00dec4f9dc23df08396f7b602920ffb2ebfa709cb30c0b8f3caf57a3026f7115477

Download Submit
C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\ODMHook64.dll

Filesize
555KB

MD5
6b6ef807ed278d13b9d8c5f0ed22dffa

SHA1
b14e8da5a185c2f8a7b043407851066412a8752c

SHA256
4c0492b251581e45eac10dbc74992e5f179db7cfa8cfcd01f54706e81f7118d4

SHA512
582860b0a505d0cc2c9d4224cb35e9e5cf2ff1367b8b54398e5894efd6b429cbb558e024e2a5afe672a659d382d2975687593d02434eb36c783d8ce561506861

Download Submit
C:\Users\Admin\AppData\Roaming\ESafeNet_Out_NewVersion\ODMHook64.exe

Filesize
577KB

MD5
880ff1a74da53b4b08b583b55be918c5

SHA1
fc2474d80cef2655ebe4bdcc953a67b32ce04fa5

SHA256
67c81f03e40096f6f48a474c1d1d4ebc04222756148a7faab448ed46ffc25df0

SHA512
644f08965b340bdd64936a81b71f9be25148d5ec3b992441040ffa1e3075fa7cc1c075b652ff220b078c689149407ae516b03a1dfe6593f82cd6ad1bfac6a6df

Download Submit
C:\Windows\ODMGuard.LOG

Filesize
777B

MD5
f560e487c3463b15dbab02ea4e63b309

SHA1
ca75b21a8e28bbdef56aa8aed1288136df53783f

SHA256
b8869805cd4d32286ab73bcd89642b8ca4b239c55112765f2673566d04ade6c1

SHA512
7999f69a4f44914e3a93a3388f223043cd20725881a30b0e7a36a9bc97a3f9456cefbe7dd6cd13a28d95af93dc5f3a4ce2461439b855e00b70c1f421dbdd277c

Download Submit
memory/3044-45-0x0000000074326000-0x0000000074327000-memory.dmp

Filesize
4KB

Download
memory/3044-46-0x0000000074320000-0x00000000743A0000-memory.dmp

Filesize
512KB

Download
memory/3044-60-0x0000000074320000-0x00000000743A0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing