b0ebec322ce578522d3187e902c962968e9af4805f0d3eefae549f99a9c7d391

Analysis

max time kernel
140s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 04:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Tone2_KeyGen.exe
Size

541KB
MD5

23b8db6e59d1b5742d662c2e9aadf960
SHA1

c23959e602c0c5091a869d58f0e559e57482e233
SHA256

b0ebec322ce578522d3187e902c962968e9af4805f0d3eefae549f99a9c7d391
SHA512

a9ef60ed4393b410b665454371918aeb5f66d82a9444a301668e03c9d093ae29876d89e0818473c2e157ec6d61f8183c7b72f57f853e5de1896735ad15fc746e
SSDEEP

12288:XYkc9t2Sll/T/ohkU3xg63nsGDxIVhxdKxoSZvj:XYkcL5T/50nSxor

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4232	keygen.exe

Loads dropped DLL 3 IoCs

pid	Process
4232	keygen.exe
4232	keygen.exe
4232	keygen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tone2_KeyGen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4168	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4168	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 4232	3144	Tone2_KeyGen.exe	82
PID 3144 wrote to memory of 4232	3144	Tone2_KeyGen.exe	82
PID 3144 wrote to memory of 4232	3144	Tone2_KeyGen.exe	82

C:\Users\Admin\AppData\Local\Temp\Tone2_KeyGen.exe
"C:\Users\Admin\AppData\Local\Temp\Tone2_KeyGen.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  C:\Users\Admin\AppData\Local\Temp\keygen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
C:\Users\Admin\AppData\Local\Temp\R2RGLD2KG.dll

Filesize
5KB

MD5
501ae6ccc10518430bd0d6e1ccea179f

SHA1
ed72512d15bdf16b0fce37235843cf6eae576743

SHA256
fa1b6a3dfb396a6f2925f2f8d5d89885c5cbb7e9108d04158262d9af25dcd71b

SHA512
735e972b9aa6e28f669192eaf8c4281ee76453fd17accd9be48c145e4bdb63231adfc6a8c489c7dd4e1e925d034177e986a6a25630987ad95714e74d6c2776e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgm.xm

Filesize
388KB

MD5
2dc3ec3f50214a13388932155baf3724

SHA1
deb34a6de5c98f4d954a9eb3857694401a5e06a3

SHA256
98c69e7f59231970dcb7858791ab5e229bb310ac7e196ddfc3203b46f2d043b6

SHA512
b3e9114e005506381d8ce58dadb4f59e9cde2999b170ec021c195d3594a2d8bc535fce6ae7463d70f72f1208ac302a89dcd30436fced727dc14e949831aa546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
492KB

MD5
15f2d430bc32b3e4d95f2d915f9f7d83

SHA1
f60f5a8f968f1b36d689aabeaff62d43f205d614

SHA256
a2204caa5d2f178a68ab0a803af9df1145c19ee66dccc72282e048482dbff7fa

SHA512
42dfebe4ea7016e862681db2f4231846dabe5c891eaa604ef1e32606c6014a9b7f14b5adb816b6283c85e0a26d3ec06be74c9110a27e5ff8b6f1a9826c57dfc4

Download Submit
memory/4232-19-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-22-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-15-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-16-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-17-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-18-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4232-20-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-21-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-11-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-23-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-24-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-25-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-26-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-27-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-28-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4232-29-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download