829b3923c5aa4522cc36b4b0fee7ca6c7d34c35a1966703fe1b9da1876822169

General

Target

08c44f3c0c5e903d7b1879b42987a260N.exe
Size

28KB
MD5

08c44f3c0c5e903d7b1879b42987a260
SHA1

3e8c2031989724b9fa0445912eaedf0b96c8b2ca
SHA256

829b3923c5aa4522cc36b4b0fee7ca6c7d34c35a1966703fe1b9da1876822169
SHA512

cab94b0da2c038bc00cb3665f66bdea1e934e49f8a7ef0cd4cbefa197ba20c1dc4124422e4d266642ac7b5415c806a4d6c63886928cd74a9af5f790c3a0c21cf
SSDEEP

384:MqvAXxH6zoHAcIWed4+kSLqrXla7vvxlLjlFVVVV1dFFFFT:zWxMoHNed6a7DZrdFFFFT

Score

8^/10

defense_evasion discovery evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
832	attrib.exe

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	okehost.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Debug\okehost.exe	08c44f3c0c5e903d7b1879b42987a260N.exe
File opened for modification	C:\Windows\Debug\okehost.exe	08c44f3c0c5e903d7b1879b42987a260N.exe
File opened for modification	C:\Windows\Debug\okehost.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08c44f3c0c5e903d7b1879b42987a260N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1020	08c44f3c0c5e903d7b1879b42987a260N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 832	1020	08c44f3c0c5e903d7b1879b42987a260N.exe	29
PID 1020 wrote to memory of 832	1020	08c44f3c0c5e903d7b1879b42987a260N.exe	29
PID 1020 wrote to memory of 832	1020	08c44f3c0c5e903d7b1879b42987a260N.exe	29
PID 1020 wrote to memory of 832	1020	08c44f3c0c5e903d7b1879b42987a260N.exe	29
PID 1020 wrote to memory of 2508	1020	08c44f3c0c5e903d7b1879b42987a260N.exe	32
PID 1020 wrote to memory of 2508	1020	08c44f3c0c5e903d7b1879b42987a260N.exe	32
PID 1020 wrote to memory of 2508	1020	08c44f3c0c5e903d7b1879b42987a260N.exe	32
PID 1020 wrote to memory of 2508	1020	08c44f3c0c5e903d7b1879b42987a260N.exe	32

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
832	attrib.exe

C:\Users\Admin\AppData\Local\Temp\08c44f3c0c5e903d7b1879b42987a260N.exe
"C:\Users\Admin\AppData\Local\Temp\08c44f3c0c5e903d7b1879b42987a260N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\attrib.exe
  attrib +a +s +h +r C:\Windows\Debug\okehost.exe
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\08C44F~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2508

C:\Windows\Debug\okehost.exe
C:\Windows\Debug\okehost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\okehost.exe

Filesize
28KB

MD5
7891954123a82d354f3bdc8c5145a63a

SHA1
dc8b665de739c5be43c135ca7ff9b210b04f0065

SHA256
ab48da5e0d2372f26344d824a08c7968a74c16b38a9d1a7c5259ec4c7de4f036

SHA512
def2422f33cd58141af12f61a44f4d5b62630a0c789c6949e05fa33c4247fab51518832c1f593c0ee519e08c1794b158558d3523fe48c0108ae5d28894609710

Download Submit
memory/1020-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1020-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-11-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-14-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads