0c4c5d4afa47499f0b32310b8c6b042f55e8d3358096eb24706ebb199b2b7d2d

General

Target

c28d8f0154ef63cbc5f84f8e9940a840N.exe
Size

281KB
MD5

c28d8f0154ef63cbc5f84f8e9940a840
SHA1

ea66d43a335ba6c6c101b599fa021b061caac04e
SHA256

0c4c5d4afa47499f0b32310b8c6b042f55e8d3358096eb24706ebb199b2b7d2d
SHA512

a458597512bd91b88b743b5294fab143c12397e12018da985fe6e792efba2777540f7a306e8dcbd08629494ede8a342a80d34ac9bd0686b0fdc866eb8033260e
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfO:boSeGUA5YZazpXUmZhZ6S7

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

a1punf5t2of.exe

pid process

1528 a1punf5t2of.exe
Loads dropped DLL 2 IoCs

Processes:

c28d8f0154ef63cbc5f84f8e9940a840N.exea1punf5t2of.exe

pid process

2644 c28d8f0154ef63cbc5f84f8e9940a840N.exe
1528 a1punf5t2of.exe

pid	process
1528	a1punf5t2of.exe

pid	process
2644	c28d8f0154ef63cbc5f84f8e9940a840N.exe
1528	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c28d8f0154ef63cbc5f84f8e9940a840N.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	c28d8f0154ef63cbc5f84f8e9940a840N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c28d8f0154ef63cbc5f84f8e9940a840N.exea1punf5t2of.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c28d8f0154ef63cbc5f84f8e9940a840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1punf5t2of.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c28d8f0154ef63cbc5f84f8e9940a840N.exea1punf5t2of.exe

description	pid	process	target process
PID 2644 wrote to memory of 1528	2644	c28d8f0154ef63cbc5f84f8e9940a840N.exe	a1punf5t2of.exe
PID 2644 wrote to memory of 1528	2644	c28d8f0154ef63cbc5f84f8e9940a840N.exe	a1punf5t2of.exe
PID 2644 wrote to memory of 1528	2644	c28d8f0154ef63cbc5f84f8e9940a840N.exe	a1punf5t2of.exe
PID 2644 wrote to memory of 1528	2644	c28d8f0154ef63cbc5f84f8e9940a840N.exe	a1punf5t2of.exe
PID 2644 wrote to memory of 1528	2644	c28d8f0154ef63cbc5f84f8e9940a840N.exe	a1punf5t2of.exe
PID 2644 wrote to memory of 1528	2644	c28d8f0154ef63cbc5f84f8e9940a840N.exe	a1punf5t2of.exe
PID 2644 wrote to memory of 1528	2644	c28d8f0154ef63cbc5f84f8e9940a840N.exe	a1punf5t2of.exe
PID 1528 wrote to memory of 2716	1528	a1punf5t2of.exe	a1punf5t2of.exe
PID 1528 wrote to memory of 2716	1528	a1punf5t2of.exe	a1punf5t2of.exe
PID 1528 wrote to memory of 2716	1528	a1punf5t2of.exe	a1punf5t2of.exe
PID 1528 wrote to memory of 2716	1528	a1punf5t2of.exe	a1punf5t2of.exe
PID 1528 wrote to memory of 2716	1528	a1punf5t2of.exe	a1punf5t2of.exe
PID 1528 wrote to memory of 2716	1528	a1punf5t2of.exe	a1punf5t2of.exe
PID 1528 wrote to memory of 2716	1528	a1punf5t2of.exe	a1punf5t2of.exe

C:\Users\Admin\AppData\Local\Temp\c28d8f0154ef63cbc5f84f8e9940a840N.exe
"C:\Users\Admin\AppData\Local\Temp\c28d8f0154ef63cbc5f84f8e9940a840N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
3⤵
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
281KB

MD5
2f4de5f7987ec31d9111de1bdb71b5af

SHA1
46a07abd0b5824dd37e5b0f594ea3f2e421541d9

SHA256
1b2c385c809accbdfe51445bf60e35eb7f7773094c539096de4b9e6d8c433d12

SHA512
4907dc0b2c8330fa72cd021ddb404a15d40cc8a996e4c8217396ba4ad7e0b6b3eba4b3d690e03de493f8d2bfbf8c7ca021d79ee1b5db8ce07897c9b20d3b6299

Download Submit
memory/1528-13-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1528-14-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1528-16-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-0-0x0000000074711000-0x0000000074712000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-2-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-3-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-12-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads