e687a95ccec40ce535d75314f7b735aa2b937c6ee1e0c0dbad339f6995101cc9

General

Target

658934799d868a8c738d6baf0ad6b580N.exe
Size

2.3MB
MD5

658934799d868a8c738d6baf0ad6b580
SHA1

828bb90f0c040ced924672dfe6e6a91e59a59901
SHA256

e687a95ccec40ce535d75314f7b735aa2b937c6ee1e0c0dbad339f6995101cc9
SHA512

39688322b40c84046c3ace5a03db804ea89cd0b2006ad44db1234f97dab2c32385f994378980b9209810b6bfb3622f912a4c189785caa46a2450ff4163487817
SSDEEP

49152:04bPSh4tbTChxKCnFnQXBbrtgb/iQvu0UHOr:p7Sh4t6hxvWbrtUTrUHOr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2020	@AE8FD1.tmp.exe
2268	658934799d868a8c738d6baf0ad6b580N.exe
916	WdExt.exe

Loads dropped DLL 8 IoCs

pid	Process
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2020	@AE8FD1.tmp.exe
2912	explorer.exe
2804	cmd.exe
2804	cmd.exe
916	WdExt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	658934799d868a8c738d6baf0ad6b580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@AE8FD1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WdExt.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	@AE8FD1.tmp.exe
916	WdExt.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2912	2972	658934799d868a8c738d6baf0ad6b580N.exe	29
PID 2972 wrote to memory of 2912	2972	658934799d868a8c738d6baf0ad6b580N.exe	29
PID 2972 wrote to memory of 2912	2972	658934799d868a8c738d6baf0ad6b580N.exe	29
PID 2972 wrote to memory of 2912	2972	658934799d868a8c738d6baf0ad6b580N.exe	29
PID 2972 wrote to memory of 2912	2972	658934799d868a8c738d6baf0ad6b580N.exe	29
PID 2972 wrote to memory of 2912	2972	658934799d868a8c738d6baf0ad6b580N.exe	29
PID 2912 wrote to memory of 2020	2912	explorer.exe	30
PID 2912 wrote to memory of 2020	2912	explorer.exe	30
PID 2912 wrote to memory of 2020	2912	explorer.exe	30
PID 2912 wrote to memory of 2020	2912	explorer.exe	30
PID 2912 wrote to memory of 2268	2912	explorer.exe	31
PID 2912 wrote to memory of 2268	2912	explorer.exe	31
PID 2912 wrote to memory of 2268	2912	explorer.exe	31
PID 2912 wrote to memory of 2268	2912	explorer.exe	31
PID 2020 wrote to memory of 2804	2020	@AE8FD1.tmp.exe	32
PID 2020 wrote to memory of 2804	2020	@AE8FD1.tmp.exe	32
PID 2020 wrote to memory of 2804	2020	@AE8FD1.tmp.exe	32
PID 2020 wrote to memory of 2804	2020	@AE8FD1.tmp.exe	32
PID 2020 wrote to memory of 2136	2020	@AE8FD1.tmp.exe	33
PID 2020 wrote to memory of 2136	2020	@AE8FD1.tmp.exe	33
PID 2020 wrote to memory of 2136	2020	@AE8FD1.tmp.exe	33
PID 2020 wrote to memory of 2136	2020	@AE8FD1.tmp.exe	33
PID 2804 wrote to memory of 916	2804	cmd.exe	36
PID 2804 wrote to memory of 916	2804	cmd.exe	36
PID 2804 wrote to memory of 916	2804	cmd.exe	36
PID 2804 wrote to memory of 916	2804	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\658934799d868a8c738d6baf0ad6b580N.exe
"C:\Users\Admin\AppData\Local\Temp\658934799d868a8c738d6baf0ad6b580N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\@AE8FD1.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AE8FD1.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2136
- - C:\Users\Admin\AppData\Local\Temp\658934799d868a8c738d6baf0ad6b580N.exe
    "C:\Users\Admin\AppData\Local\Temp\658934799d868a8c738d6baf0ad6b580N.exe"
    3⤵
    - Executes dropped EXE
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Se9178.tmp

Filesize
896B

MD5
be49ee9d1b6da594241ce3b7432c5d64

SHA1
d81e68b9bf84258af2e6b5595c4f5c8d53b9c901

SHA256
db66d62796ae12bf459e514f27bb1a0d416d804365f44e8ec53dd760e3f7b8b8

SHA512
0c15d8d86e0dfccbcecd50b3dd5906f8f5b7c52511128d01be82b394ccb08ed85a486a101bbb5d992a688d1e62f21fda712daef1bf3a5ecba9aad152e47562f5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
6266b3da2564e372b0d4698d10f80377

SHA1
3cb8cfd221583b4eb339886c5df74caff6aeb07c

SHA256
3d38e7884bc8f4b2758db8b5335a793f27c208a98755d1aa2f3925cce6010960

SHA512
e8cc713f8ebe3a5ab3f59b88bc87dae7bc6b35e7bd2c088fd6a594e84ae11edd9c66dd6ad69f3148fb5098124a235f74175d5495ab98fcd34b1c84946fb4cda0

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
684c111c78f8bf6fcb5575d400e7669c

SHA1
d587894c0beffdff00ae6d358a5463ef18bcb485

SHA256
080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716

SHA512
bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f

Download Submit
\Users\Admin\AppData\Local\Temp\658934799d868a8c738d6baf0ad6b580N.exe

Filesize
538KB

MD5
ddbc4e046dd79c887006cce9863aa21f

SHA1
89ea1eaad9f1758012400f6fb5501dc9d3e563bf

SHA256
7e7568595fc5843e900fc2cc1c840ae9046a0f2a4169f519a581617894b2ea2c

SHA512
aeac27937ca78d5d36c293937831b85a72caeec7a89095c19faafc33f76c3f42e4ab36cf1a9e89433845afaf238512d996555e1fa188dd599fb6395f612f8231

Download Submit
\Users\Admin\AppData\Local\Temp\@AE8FD1.tmp.exe

Filesize
1.7MB

MD5
4c3d3118ad1dea55791321bebb03bb42

SHA1
2e154cd5a3bb81f6a37257488f9fc5e73496904e

SHA256
48ddf8c58db08ee2218c81098dce28290ce925580dd43764462effb60142cfb4

SHA512
c134bf36ff9ffb5e74cb508a19719d31b034038d28458cde4c803ee7a3bb80aedb6c6122ef023010f6b0305d2e549c78ec5e50f574563d5e521887f1eff8ac30

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
21f138f5a83e479c90cb494082e46475

SHA1
14a8f266f403356df337d801d2177b4ff4762c9d

SHA256
2cbd092e10072c97ee48fd484409bfd421e570dcb188d216295c3cec7a8f2611

SHA512
9f4a6de09026fa55ea7d75e3636aa7724f75bb02e05a4e18a3841d2fcbd7959c40347575dddcf2c192cd3f15dd993bade8bf647626242f5dc33104616c85728d

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/2020-12-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing