b58a218d8faa3fcb1f2295e2452f89eb256406409a43d6d289a6dd0394f22e18

General

Target

setup-ttdown.exe
Size

89.5MB
MD5

f51e4fc121e79e1ed3684282c1361857
SHA1

b9b040f34fe46dc7515ef56215a387c0a53d5af9
SHA256

2efa6773e89296e5b5fc3e6a92640efa95ae400977767ed59047692c72ade8ed
SHA512

51d0fb1835cd4a32003a2acd988413916e1016df92e887c1ed6b761d0a44da2368c7031ebf297df20966a4f6bab2dc5ce05733b3d89f4c5d3f4063658733ce14
SSDEEP

1572864:Zs0D4yiOUCTaTBIENm/t/hRf/iWA61S30fmFJMajGJ4qR4oHbmi9LipJR4PFjs0i:ZZHiOhTa1v+tnFQk+oaCSi9Wmjs08D

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	setup-ttdown.exe

Executes dropped EXE 1 IoCs

pid	Process
1472	talio.exe

Loads dropped DLL 3 IoCs

pid	Process
4268	setup-ttdown.exe
4268	setup-ttdown.exe
4268	setup-ttdown.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023422-19.dat	upx
behavioral2/memory/1472-24-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-26-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-27-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-28-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-29-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-30-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-31-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-32-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-33-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-34-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-35-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-36-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-37-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-38-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-39-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1472-40-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	setup-ttdown.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup-ttdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	talio.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4396	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4396	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 1472	4268	setup-ttdown.exe	90
PID 4268 wrote to memory of 1472	4268	setup-ttdown.exe	90
PID 4268 wrote to memory of 1472	4268	setup-ttdown.exe	90

C:\Users\Admin\AppData\Local\Temp\setup-ttdown.exe
"C:\Users\Admin\AppData\Local\Temp\setup-ttdown.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\talio.exe
  "C:\Users\Admin\AppData\Local\Temp\talio.exe" C:\Users\Admin\AppData\Local\Temp\talio.mp3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1472

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x41c 0x4b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\TALIO.MP3

Filesize
1.0MB

MD5
756c38bddf52b077812975e8c4e8ceba

SHA1
8fc93e1afe8717bd64d0d37e51c1fe457aef1a4f

SHA256
2b5789f575ff17383227305b7432f0837d1802a8e51263d9ed9ca7fe1150b9e7

SHA512
c9cc365021885a8af4064923435aea1975fa2626c68e18cc57cdd382c097e7d4513e50eed9f8a9eaebdc82f19b22ea1bcfb07d4d81c68c78516e787e187fb9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLCC13D.tmp

Filesize
161KB

MD5
263e81631fb67194dc968dc3f4bdb4e7

SHA1
2998697c503a542d5cf1e25a0d0df18fcd38d66c

SHA256
9200949ab6f777df957fc524d4733e2cb47b89a209c07d2be57b4c63cecbf766

SHA512
2eb6fd28ba87f193a35f1c4bd4c6ff29495a3c10fea8bfa0506df97fcae5ca16f2617703137ecb32cf6b7dbd3048507dd4d0c7418845cfdce5c43896aec45dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLKC361.tmp

Filesize
84KB

MD5
9ac1f2e22cb405eecee6d32031c223c6

SHA1
ea4cbd989cf7f6a37fdb7e45d51abad1282e6809

SHA256
67aea582781863b69da97bb2c861d639cb24a46cfe60f884c5c7a02d9f959c2b

SHA512
372cd87bb07134f21a788e2b89748832e84a8844ac9e423f00113d14ebfeed8ee29a7cdde9ba3318422ac1826f7c378e7a84325bc1db57c0867e3a330093f2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\talio.exe

Filesize
17KB

MD5
7b1d2025668327a6a502e34218dc7112

SHA1
435342a1e2f36fecbd430747addc2b1edbdac06e

SHA256
b35651280ae6c90f7cc7a7c9e0a45660a239d335a0fa743474bb4e6d8e7adbc3

SHA512
e8cc47d9ffacec416be54570cc07342c1a72422dafe7eddcf3b54582cfa29e0ee37b21cbc0ca445542092767ebddd3a7ec96b55219d8a860f61bfc167f0df5d3

Download Submit
memory/1472-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-27-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-28-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-29-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-26-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-36-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-37-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-38-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-39-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1472-40-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing