14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9

General

Target

14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9.exe
Size

284KB
MD5

a44bac45d11a0653fe1addf44ce1c500
SHA1

519e7837b59161b97235649a828ad58360ebfbce
SHA256

14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9
SHA512

6c581b3f772bfa24899a45b0ebab775ebf252a7d8a33cb1ad646a285e275b1e7fb84814c67b4bdfea752335c153d597eee67e3a554d852104f9897005bcae4da
SSDEEP

6144:LndVRsAXg4C3z520NINNCr9iFUrnGXMUFfew:LndVRsAXg4o19NsNCr9i4Uew

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2024	1223.pif

Executes dropped EXE 1 IoCs

pid	Process
2024	1223.pif

Loads dropped DLL 2 IoCs

pid	Process
3032	14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9.exe
3032	14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	1223.pif
File opened (read-only)	\??\L:	1223.pif
File opened (read-only)	\??\O:	1223.pif
File opened (read-only)	\??\R:	1223.pif
File opened (read-only)	\??\E:	1223.pif
File opened (read-only)	\??\G:	1223.pif
File opened (read-only)	\??\V:	1223.pif
File opened (read-only)	\??\W:	1223.pif
File opened (read-only)	\??\X:	1223.pif
File opened (read-only)	\??\Y:	1223.pif
File opened (read-only)	\??\M:	1223.pif
File opened (read-only)	\??\Q:	1223.pif
File opened (read-only)	\??\N:	1223.pif
File opened (read-only)	\??\S:	1223.pif
File opened (read-only)	\??\Z:	1223.pif
File opened (read-only)	\??\J:	1223.pif
File opened (read-only)	\??\K:	1223.pif
File opened (read-only)	\??\T:	1223.pif
File opened (read-only)	\??\U:	1223.pif
File opened (read-only)	\??\I:	1223.pif
File opened (read-only)	\??\P:	1223.pif

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\userinit.exe18467	1223.pif
File opened for modification	C:\Windows\SysWOW64\RCXF7F8.tmp	1223.pif
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe26962	1223.pif
File opened for modification	C:\Windows\SysWOW64\RCXF911.tmp	1223.pif
File opened for modification	C:\Windows\SysWOW64\RCXF9DD.tmp	1223.pif
File opened for modification	C:\Windows\SysWOW64\RCXF48C.tmp	1223.pif
File opened for modification	C:\Windows\SysWOW64\calc.exe15724	1223.pif
File opened for modification	C:\Windows\SysWOW64\RCXF6FD.tmp	1223.pif
File opened for modification	C:\Windows\SysWOW64\notepad.exe11478	1223.pif
File opened for modification	C:\Windows\SysWOW64\cleanmgr.exe24464	1223.pif

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1223.pif

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2024	3032	14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9.exe	30
PID 3032 wrote to memory of 2024	3032	14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9.exe	30
PID 3032 wrote to memory of 2024	3032	14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9.exe	30
PID 3032 wrote to memory of 2024	3032	14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9.exe	30

C:\Users\Admin\AppData\Local\Temp\14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9.exe
"C:\Users\Admin\AppData\Local\Temp\14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\1223.pif
  C:\Users\Admin\AppData\Local\Temp\1223.pif ////DAEMON
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14d7091699c7b9722ddda21c68d3cc8f8fe2e9379e1d81a4ef0f7498abefe2a9.exe

Filesize
100KB

MD5
f40cbb1bf9d2c837131f5ef7c1c8ddaf

SHA1
d855425d5e68767bb7eab6e7a75803b655cb7eb6

SHA256
65dd91dd6a43480ddcb727262c31cf30dbc166860b22dbd5313f32e7805d1cd3

SHA512
ae3a606e51d9dfc517b8684fc4f85c4ed8466ef5e8c45fdb3df1d8c630165e2006b07e25c1aa533a7577c336dcc4f7108a26cd8e68cca2fe58b9a67fa077d876

Download Submit
\Users\Admin\AppData\Local\Temp\1223.pif

Filesize
184KB

MD5
1a7bfd81a6da6b253f66d7f7718e6684

SHA1
6eb03292dfb2c3b37a8d7561c1f812dc0dd81a73

SHA256
2b5d3bbb443788c41ecae810645ca196b767da416f07146970d8714753394293

SHA512
65b67b83f0522a1a756f193207265b98acf0bb0c1633b7df11e54b8df1df5b2bc93d13938caf624d13240b1f6c64e2e6460959a1573461eacaccae5a2b4d1b19

Download Submit

Analysis

Sharing