6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302

General

Target

6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
Size

208KB
MD5

95514abf158b6187fa105d8ee8d55138
SHA1

006ef49b6642bafd83b108e10abb0c3de39a4346
SHA256

6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302
SHA512

93d118c560c61eb3bcce2520f684c0d976aa27d9c43eb68a03b0758be8a8f072f99c1e38649c740764ce2c29325c703dd70b8d79f1a743da8b0d3b1600a400a5
SSDEEP

3072:OTVuc3MLAZHs5+4nOKngxYCSWj5jtO8ieDuehAd4NLthEjQT6:UucsA6EGOKgVXFjtbHDLhAdQEj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2684	MBBWU.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	cmd.exe
2792	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\MBBWU.exe	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
File opened for modification	C:\windows\SysWOW64\MBBWU.exe	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
File created	C:\windows\SysWOW64\MBBWU.exe.bat	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBBWU.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2672	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
2672	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
2684	MBBWU.exe
2684	MBBWU.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2672	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
2672	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
2684	MBBWU.exe
2684	MBBWU.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2792	2672	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe	30
PID 2672 wrote to memory of 2792	2672	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe	30
PID 2672 wrote to memory of 2792	2672	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe	30
PID 2672 wrote to memory of 2792	2672	6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe	30
PID 2792 wrote to memory of 2684	2792	cmd.exe	32
PID 2792 wrote to memory of 2684	2792	cmd.exe	32
PID 2792 wrote to memory of 2684	2792	cmd.exe	32
PID 2792 wrote to memory of 2684	2792	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
"C:\Users\Admin\AppData\Local\Temp\6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\MBBWU.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\windows\SysWOW64\MBBWU.exe
    C:\windows\system32\MBBWU.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MBBWU.exe.bat

Filesize
74B

MD5
20db3089ec39632029049afc182bbe42

SHA1
c2e3aa462a3880aa99f4914ea3800aeb868200fe

SHA256
9e5926ae7c712fbea0e7fac77cdb1d858eadeee6745d9bd65c9b630062cdcfc8

SHA512
ea5fcc690c105b07ea73ab25aa3832abc1a40bd2fbfd66d58f368cdbe0e47c034dedbce4448faf7535d905c32e16746b946720b91c30bc786bd8c6d16fd3ff9b

Download Submit
C:\windows\SysWOW64\MBBWU.exe

Filesize
208KB

MD5
a71190177961f0f1ab52e96dcc1c446b

SHA1
77697736fa00ae95a56e9256593e22c636574750

SHA256
70e5af1d3efc68725364bb7736ba35e5becb1554c2381534537b7a463b3e4a23

SHA512
ecc723c8a99d861ca0dc6a57797c1a8a36a981d042c770d4d238956bb52dc4c896deeee777dcce2096c043297eb616eab72109100b5793b30b259611c3059a76

Download Submit
memory/2672-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2672-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2684-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2684-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2792-18-0x0000000000280000-0x00000000002B8000-memory.dmp

Filesize
224KB

Download
memory/2792-17-0x0000000000280000-0x00000000002B8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing