696d211f20099957356bb36ae0bdab9b0a6864ac3817c2446bb15bdbf21afcb2

General

Target

b6e1cbd182f1a207b2bc85590d2fd6a0N.exe
Size

540KB
MD5

b6e1cbd182f1a207b2bc85590d2fd6a0
SHA1

16b5bcef3293ec26d4009f45d448d857ad303205
SHA256

696d211f20099957356bb36ae0bdab9b0a6864ac3817c2446bb15bdbf21afcb2
SHA512

9a18b2b7c5b1554e8313b248b2d33ce4be22c1322bc65264ca27fcc35ad0c05b274903a8bd66988c6f4983917d3f4f84337761e47e0b117a1b58cd4abb0fcfef
SSDEEP

6144:jZQx+mI07CciO8DoOiECX0oAppVeh2ELimSlaJwDFO+sdN3+f2XkTl+XOzol+KXl:a95iO8D3CXQVI/LiaJAFO5DMWrXNcc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2252	F151.tmp
2464	b6e1cbd182f1a207b2bc85590d2fd6a0N.exe

Loads dropped DLL 3 IoCs

pid	Process
2088	b6e1cbd182f1a207b2bc85590d2fd6a0N.exe
2252	F151.tmp
2252	F151.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F151.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6e1cbd182f1a207b2bc85590d2fd6a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6e1cbd182f1a207b2bc85590d2fd6a0N.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2252	F151.tmp

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2252	F151.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2252	2088	b6e1cbd182f1a207b2bc85590d2fd6a0N.exe	31
PID 2088 wrote to memory of 2252	2088	b6e1cbd182f1a207b2bc85590d2fd6a0N.exe	31
PID 2088 wrote to memory of 2252	2088	b6e1cbd182f1a207b2bc85590d2fd6a0N.exe	31
PID 2088 wrote to memory of 2252	2088	b6e1cbd182f1a207b2bc85590d2fd6a0N.exe	31
PID 2252 wrote to memory of 2464	2252	F151.tmp	32
PID 2252 wrote to memory of 2464	2252	F151.tmp	32
PID 2252 wrote to memory of 2464	2252	F151.tmp	32
PID 2252 wrote to memory of 2464	2252	F151.tmp	32

C:\Users\Admin\AppData\Local\Temp\b6e1cbd182f1a207b2bc85590d2fd6a0N.exe
"C:\Users\Admin\AppData\Local\Temp\b6e1cbd182f1a207b2bc85590d2fd6a0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\F151.tmp
  "C:\Users\Admin\AppData\Local\Temp\F151.tmp" --pingC:\Users\Admin\AppData\Local\Temp\b6e1cbd182f1a207b2bc85590d2fd6a0N.exe 9F48422ED941C40EE3C473BEEDBEA575B418FDBB814C956EA4E7795228910A5C6DE1A73FBEF29BCA3C15536DD568C0EB7D4F5DDCCB0D3E48131905704EA4E35D
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\b6e1cbd182f1a207b2bc85590d2fd6a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\b6e1cbd182f1a207b2bc85590d2fd6a0N.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\F151.tmp

Filesize
540KB

MD5
7f241723d1b72328adbc57be2207b04c

SHA1
6ad025966686ec8fdc443ebf7664cf70ba4df622

SHA256
fbc6181bec995e07734f928ddbc7d9dbdd32d6274a127a26e6b4ebbf186aa7ce

SHA512
97cf151115d46e29591e2ba91a438d0de1ea6f8b349595da49dd546c8391315a51e3678e97efd6e8676bef5ae528feda016c3d0f3a71d2b83f51415345b69761

Download Submit
\Users\Admin\AppData\Local\Temp\b6e1cbd182f1a207b2bc85590d2fd6a0N.exe

Filesize
180KB

MD5
1e4524dd4963fad9da23cc9dd22362be

SHA1
b13c2d9d734aea7d0912e000b367f58aa332954f

SHA256
7cb106de2392ae9c71eb7234747b0ae157c2487750cd5034a239247b8de02779

SHA512
1e3c1db9e57fc9aa1af626f5de8ddd5131c100ce8fef459e2b7cc65765dfc22ddb644c10f23bd28384616fe45b37039d95ee34861c3d5e5bec3b5464cc3efac4

Download Submit
memory/2464-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-22-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads