d47b87ec90d7293ffef7b7c7f18fb246c8111e81ea33f2a9349ab320c27e6391

General

Target

a89fb7ae5ad152e445320707a6231c70N.exe
Size

280KB
MD5

a89fb7ae5ad152e445320707a6231c70
SHA1

97cb0b65073b3388640be176b860ad8dadf204e7
SHA256

d47b87ec90d7293ffef7b7c7f18fb246c8111e81ea33f2a9349ab320c27e6391
SHA512

fc5c82992dfc102d918c82d794e75f481bf1dfdc3b46b346ee04698dbc9f56c1b94b7dd83e299b97388e4f18fb60810a2b12dadd358f38a2358f13951fdab247
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKk:boSeGUA5YZazpXUmZhZ6Sk

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

a1punf5t2of.exe

pid process

2564 a1punf5t2of.exe
Loads dropped DLL 2 IoCs

Processes:

a89fb7ae5ad152e445320707a6231c70N.exea1punf5t2of.exe

pid process

2800 a89fb7ae5ad152e445320707a6231c70N.exe
2564 a1punf5t2of.exe

pid	process
2564	a1punf5t2of.exe

pid	process
2800	a89fb7ae5ad152e445320707a6231c70N.exe
2564	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a89fb7ae5ad152e445320707a6231c70N.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	a89fb7ae5ad152e445320707a6231c70N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a89fb7ae5ad152e445320707a6231c70N.exea1punf5t2of.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a89fb7ae5ad152e445320707a6231c70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1punf5t2of.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

a89fb7ae5ad152e445320707a6231c70N.exea1punf5t2of.exe

description	pid	process	target process
PID 2800 wrote to memory of 2564	2800	a89fb7ae5ad152e445320707a6231c70N.exe	a1punf5t2of.exe
PID 2800 wrote to memory of 2564	2800	a89fb7ae5ad152e445320707a6231c70N.exe	a1punf5t2of.exe
PID 2800 wrote to memory of 2564	2800	a89fb7ae5ad152e445320707a6231c70N.exe	a1punf5t2of.exe
PID 2800 wrote to memory of 2564	2800	a89fb7ae5ad152e445320707a6231c70N.exe	a1punf5t2of.exe
PID 2800 wrote to memory of 2564	2800	a89fb7ae5ad152e445320707a6231c70N.exe	a1punf5t2of.exe
PID 2800 wrote to memory of 2564	2800	a89fb7ae5ad152e445320707a6231c70N.exe	a1punf5t2of.exe
PID 2800 wrote to memory of 2564	2800	a89fb7ae5ad152e445320707a6231c70N.exe	a1punf5t2of.exe
PID 2564 wrote to memory of 1740	2564	a1punf5t2of.exe	a1punf5t2of.exe
PID 2564 wrote to memory of 1740	2564	a1punf5t2of.exe	a1punf5t2of.exe
PID 2564 wrote to memory of 1740	2564	a1punf5t2of.exe	a1punf5t2of.exe
PID 2564 wrote to memory of 1740	2564	a1punf5t2of.exe	a1punf5t2of.exe
PID 2564 wrote to memory of 1740	2564	a1punf5t2of.exe	a1punf5t2of.exe
PID 2564 wrote to memory of 1740	2564	a1punf5t2of.exe	a1punf5t2of.exe
PID 2564 wrote to memory of 1740	2564	a1punf5t2of.exe	a1punf5t2of.exe

C:\Users\Admin\AppData\Local\Temp\a89fb7ae5ad152e445320707a6231c70N.exe
"C:\Users\Admin\AppData\Local\Temp\a89fb7ae5ad152e445320707a6231c70N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
3⤵
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
280KB

MD5
b87b8d2e40a9b1342b70ef54a52f2c86

SHA1
ce031774ec2b20134137e99751a776e399b97380

SHA256
ef3ccec699f4d23f0ee342806fc7edd13f7e037612eac74e210bb9ad5ea8b784

SHA512
c2846225ddcc4263ba4fea77ebaf8e12a4b353cd0986100f645846e2d03e763fb33123a64afccf8a055e0d48ce900e130dc8fd2740784a662b67eb3b358369bb

Download Submit
memory/2564-13-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-14-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-15-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-17-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-18-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-0-0x00000000747B1000-0x00000000747B2000-memory.dmp

Filesize
4KB

Download
memory/2800-1-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-2-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-3-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-12-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads