2b6037134c22866fa80f47066e148b6e8d74c1851cadf785cad79d929ecd21bc

General

Target

bab655e6f10c206fb1f1c9d55b8c5510N.exe
Size

1004KB
MD5

bab655e6f10c206fb1f1c9d55b8c5510
SHA1

4b4666a706cb0af9ccb065bf5e426c68d6d39915
SHA256

2b6037134c22866fa80f47066e148b6e8d74c1851cadf785cad79d929ecd21bc
SHA512

6c7287fadc01dc391b9ece0569c7026d2c059652959671e52eba9592ac9dc1183b4bd976dff9fc43caf737ad9d17f1984e4f06f24410e57edbbc233e7aeabed4
SSDEEP

6144:oBDHmrz4nijG8o3Zp/TWt+g4RQTDUBO8/2vh+ziDV8m56TBac2Gub:qDHmonijG8L8g4RgoBO8/2vhDX56Ti

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1148	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2072	DBSever0.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\WDDBSever0.EXE = "\"C:\\Windows\\DBSever0.EXE\" /Auto"	DBSever0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDDBSever0.EXE = "\"C:\\Windows\\DBSever0.EXE\" /Auto"	DBSever0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\WDDBSever0.EXE = "\"C:\\Windows\\DBSever0.EXE\" /Auto"	bab655e6f10c206fb1f1c9d55b8c5510N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DBSever0.EXE	bab655e6f10c206fb1f1c9d55b8c5510N.exe
File created	C:\Windows\DBSever0.EXE	bab655e6f10c206fb1f1c9d55b8c5510N.exe
File opened for modification	C:\Windows\DBSever0.KInf	DBSever0.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBSever0.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bab655e6f10c206fb1f1c9d55b8c5510N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	DBSever0.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 2072	484	bab655e6f10c206fb1f1c9d55b8c5510N.exe	30
PID 484 wrote to memory of 2072	484	bab655e6f10c206fb1f1c9d55b8c5510N.exe	30
PID 484 wrote to memory of 2072	484	bab655e6f10c206fb1f1c9d55b8c5510N.exe	30
PID 484 wrote to memory of 2072	484	bab655e6f10c206fb1f1c9d55b8c5510N.exe	30
PID 484 wrote to memory of 1148	484	bab655e6f10c206fb1f1c9d55b8c5510N.exe	31
PID 484 wrote to memory of 1148	484	bab655e6f10c206fb1f1c9d55b8c5510N.exe	31
PID 484 wrote to memory of 1148	484	bab655e6f10c206fb1f1c9d55b8c5510N.exe	31
PID 484 wrote to memory of 1148	484	bab655e6f10c206fb1f1c9d55b8c5510N.exe	31

C:\Users\Admin\AppData\Local\Temp\bab655e6f10c206fb1f1c9d55b8c5510N.exe
"C:\Users\Admin\AppData\Local\Temp\bab655e6f10c206fb1f1c9d55b8c5510N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\DBSever0.EXE
  C:\Windows\DBSever0.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp0.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp0.bat

Filesize
240B

MD5
48c2f6b61c647dacb3109a38179cec20

SHA1
212f6ce14d1e15c3621bd876e1c53d306dea5238

SHA256
643b8eab4f43af492f71680e65aa596329af48c48ea4ef4fb162109d5c1f31d7

SHA512
d75a08d8301d220f336e3d09ab65df4b94a084bf5b04623fd1425002f86cc83bac69d8af182570264de5a956154d9fdb3c091398cb74a2593f439e6e4c179fe1

Download Submit
C:\Windows\DBSever0.EXE

Filesize
1009KB

MD5
d30ac9f84f6a5dc943f057451091071f

SHA1
7f4c81c3dd1f7c127fd67f22c70ff3c7fc4461db

SHA256
dca16645cd6e084902c8c4730a11809870ab7ffe295f5718ad0f39c4378d22f6

SHA512
61822efba6ac203c5222ff73951d4c1c2cac3e3f35302d2333dda0f54cf2ce6604716775759748d72c30dc5c1c8baefb19ce2caaf0f62f03b90c2b8e8cfc7476

Download Submit
memory/484-0-0x0000000010000000-0x000000001007D000-memory.dmp

Filesize
500KB

Download
memory/484-7-0x0000000002040000-0x00000000020BD000-memory.dmp

Filesize
500KB

Download
memory/484-18-0x0000000002040000-0x00000000020BD000-memory.dmp

Filesize
500KB

Download
memory/484-17-0x0000000010000000-0x000000001007D000-memory.dmp

Filesize
500KB

Download
memory/2072-8-0x0000000010000000-0x000000001007D000-memory.dmp

Filesize
500KB

Download
memory/2072-20-0x0000000010000000-0x000000001007D000-memory.dmp

Filesize
500KB

Download
memory/2072-22-0x0000000010000000-0x000000001007D000-memory.dmp

Filesize
500KB

Download
memory/2072-25-0x0000000010000000-0x000000001007D000-memory.dmp

Filesize
500KB

Download
memory/2072-26-0x0000000010000000-0x000000001007D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads