6f120cd587ec05f82f9e114f910ccae2c8e4cf468c8a06624c611e8431dd9cbf

General

Target

c570824c19f6b18f9385b6d2dd362e30N.exe
Size

6.7MB
MD5

c570824c19f6b18f9385b6d2dd362e30
SHA1

82c8e445f4d97cbdbd3ad03240d9459d4d277c8a
SHA256

6f120cd587ec05f82f9e114f910ccae2c8e4cf468c8a06624c611e8431dd9cbf
SHA512

695d5ed9e697a50880d13a9f82dc5a170523bfb03cf52c71bb2822754471ba345bc6f7dbd9a9fee758292884ae0420f44ac6f4111e08bbd6db7e4556aa987f56
SSDEEP

196608:sfU3b+P/ugXlRRAhqlUsz7vV7LacN3PIRaE1ZVf0y5:8f/31RKVsz7Nl3P2aM/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2408	c570824c19f6b18f9385b6d2dd362e30N.exe
2844	Mp3tag.exe
2580	Mp3tag.exe

Loads dropped DLL 6 IoCs

pid	Process
1952	c570824c19f6b18f9385b6d2dd362e30N.exe
2408	c570824c19f6b18f9385b6d2dd362e30N.exe
2408	c570824c19f6b18f9385b6d2dd362e30N.exe
2844	Mp3tag.exe
2844	Mp3tag.exe
2580	Mp3tag.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2580 set thread context of 2144	2580	Mp3tag.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c570824c19f6b18f9385b6d2dd362e30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c570824c19f6b18f9385b6d2dd362e30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2844	Mp3tag.exe
2580	Mp3tag.exe
2580	Mp3tag.exe
2144	cmd.exe
2144	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2580	Mp3tag.exe
2144	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2408	1952	c570824c19f6b18f9385b6d2dd362e30N.exe	30
PID 1952 wrote to memory of 2408	1952	c570824c19f6b18f9385b6d2dd362e30N.exe	30
PID 1952 wrote to memory of 2408	1952	c570824c19f6b18f9385b6d2dd362e30N.exe	30
PID 1952 wrote to memory of 2408	1952	c570824c19f6b18f9385b6d2dd362e30N.exe	30
PID 1952 wrote to memory of 2408	1952	c570824c19f6b18f9385b6d2dd362e30N.exe	30
PID 1952 wrote to memory of 2408	1952	c570824c19f6b18f9385b6d2dd362e30N.exe	30
PID 1952 wrote to memory of 2408	1952	c570824c19f6b18f9385b6d2dd362e30N.exe	30
PID 2408 wrote to memory of 2844	2408	c570824c19f6b18f9385b6d2dd362e30N.exe	31
PID 2408 wrote to memory of 2844	2408	c570824c19f6b18f9385b6d2dd362e30N.exe	31
PID 2408 wrote to memory of 2844	2408	c570824c19f6b18f9385b6d2dd362e30N.exe	31
PID 2408 wrote to memory of 2844	2408	c570824c19f6b18f9385b6d2dd362e30N.exe	31
PID 2844 wrote to memory of 2580	2844	Mp3tag.exe	32
PID 2844 wrote to memory of 2580	2844	Mp3tag.exe	32
PID 2844 wrote to memory of 2580	2844	Mp3tag.exe	32
PID 2580 wrote to memory of 2144	2580	Mp3tag.exe	33
PID 2580 wrote to memory of 2144	2580	Mp3tag.exe	33
PID 2580 wrote to memory of 2144	2580	Mp3tag.exe	33
PID 2580 wrote to memory of 2144	2580	Mp3tag.exe	33
PID 2580 wrote to memory of 2144	2580	Mp3tag.exe	33
PID 2144 wrote to memory of 1124	2144	cmd.exe	35
PID 2144 wrote to memory of 1124	2144	cmd.exe	35
PID 2144 wrote to memory of 1124	2144	cmd.exe	35
PID 2144 wrote to memory of 1124	2144	cmd.exe	35
PID 2144 wrote to memory of 1124	2144	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\c570824c19f6b18f9385b6d2dd362e30N.exe
"C:\Users\Admin\AppData\Local\Temp\c570824c19f6b18f9385b6d2dd362e30N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\Temp\{B7114CF0-266E-4B90-AA02-315BD436AB76}\.cr\c570824c19f6b18f9385b6d2dd362e30N.exe
  "C:\Windows\Temp\{B7114CF0-266E-4B90-AA02-315BD436AB76}\.cr\c570824c19f6b18f9385b6d2dd362e30N.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\c570824c19f6b18f9385b6d2dd362e30N.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\Temp\{7FC886D0-E939-4673-9167-4054C6D0122D}\.ba\Mp3tag.exe
    "C:\Windows\Temp\{7FC886D0-E939-4673-9167-4054C6D0122D}\.ba\Mp3tag.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Admin\AppData\Roaming\WO_Reader\Mp3tag.exe
      C:\Users\Admin\AppData\Roaming\WO_Reader\Mp3tag.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\181fed61

Filesize
1.1MB

MD5
0337d286ee08e3be93c0231bf795bea1

SHA1
27184a26b57cfce505bff63f0aef940e2bfc0b73

SHA256
8e5b8597a2af8ad743bf2939ceaae3ea25e337dd08d431760cc740a611b8126c

SHA512
c734980af28443e17c4639f22c6f2c94e056d9a9387b34d255080be6158cefee2b71e528887fee19befd7b1dd638d20d8ab2a78b172f42444cb7da5092c3fa76

Download Submit
C:\Windows\Temp\{7FC886D0-E939-4673-9167-4054C6D0122D}\.ba\airintake.xlsx

Filesize
74KB

MD5
946dc224bc5c624516a5a7c198e29f2b

SHA1
1e00bef81cd7cbfdfd0e1abc4395cd27838061ca

SHA256
840357d9542674dfcd1e70ee824fbdd8c0e138959761534acbbd25553c2290fe

SHA512
aaab53abca59c915e0eb109fb2b73226671662e92cde4fd554c93046893a4f0cca52f9ad6b9b829374ab557e851f7de3ba4833a4131f1fc7ee734b84701f4ca0

Download Submit
C:\Windows\Temp\{7FC886D0-E939-4673-9167-4054C6D0122D}\.ba\precentor.jpeg

Filesize
1000KB

MD5
7a01c82029fc3456d957c42d50dcefc7

SHA1
8bd01193dbe1781071a875cd24aa0ef60176ba9c

SHA256
3b84a6c0f12e0398f3ac83e2bbee566bca2d4a0a0ab6c7bbb0affed63409cb38

SHA512
499428c641b842bf64ede98903fb576d29e735aebd59d3f8703718abfa3269627963a9453987fbd15f3e83272d891e7d7918703cfb862588b4f8dee575a850e6

Download Submit
\Windows\Temp\{7FC886D0-E939-4673-9167-4054C6D0122D}\.ba\Microfilm.dll

Filesize
188KB

MD5
9c79ec1722bfc75da4a054ebb2519e3f

SHA1
8b1945288873460db224923095f2939750bee7e0

SHA256
0063b354d0218fa55c4c3f0f5416f958c3e67fe822c3401883642e201bd108f4

SHA512
b083ec3d59e0662e4417a64c8e19c71fd1ac38b9e1b5b1a85f5de871588d097f5c17ada13c2ffe6352e2dc921b9df7160ec7d7e83f23d1fe7269022ce574b974

Download Submit
\Windows\Temp\{7FC886D0-E939-4673-9167-4054C6D0122D}\.ba\Mp3tag.exe

Filesize
12.0MB

MD5
a7118dffeac3772076f1a39a364d608d

SHA1
6b984d9446f23579e154ec47437b9cf820fd6b67

SHA256
f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0

SHA512
f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890

Download Submit
\Windows\Temp\{7FC886D0-E939-4673-9167-4054C6D0122D}\.ba\tak_deco_lib.dll

Filesize
315KB

MD5
48f5aedd31cb66eeec556eaf88962201

SHA1
5a415d07aec0d88e9e04699e0dcabc6e81805696

SHA256
8170e58e75a0389395499ae7a1e2c9fb6055f548a0ef9322ff944b96f698cbb9

SHA512
4855bdd9caa4a9946aa5c9a8033965c2dc55461da083aae1ecfadabd5639e5abbe3ef142a36afd0c79a819636824401fa1902297620dc3ae7a4401dec3888140

Download Submit
\Windows\Temp\{B7114CF0-266E-4B90-AA02-315BD436AB76}\.cr\c570824c19f6b18f9385b6d2dd362e30N.exe

Filesize
6.5MB

MD5
bd0a1910f42d180b53567a6e89315427

SHA1
e1fdc4f6b260ee2a598f71c5e083ab907ca92153

SHA256
c575afbabbf9344a79ef9710c2b393c5be176709fd39fd81788d3931bc922492

SHA512
f9407c6b8e01c375424c6108db18e394b3a3450c75414dd57e6f1fe27ecb8949f39107c3c7c2ec37f7b9a38164845b69728da1ab95cd4d565f3595e047e168b6

Download Submit
memory/1124-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1124-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1124-44-0x0000000077930000-0x0000000077AD9000-memory.dmp

Filesize
1.7MB

Download
memory/1124-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2144-40-0x0000000077930000-0x0000000077AD9000-memory.dmp

Filesize
1.7MB

Download
memory/2144-41-0x00000000752B0000-0x0000000075424000-memory.dmp

Filesize
1.5MB

Download
memory/2580-36-0x000007FEF6FE0000-0x000007FEF7138000-memory.dmp

Filesize
1.3MB

Download
memory/2580-38-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2580-35-0x000007FEF6FE0000-0x000007FEF7138000-memory.dmp

Filesize
1.3MB

Download
memory/2844-29-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2844-21-0x000007FEF7C10000-0x000007FEF7D68000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing