9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b

General

Target

9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe
Size

1.2MB
MD5

dfd90e6a25d9c49cec178caa36e5002e
SHA1

c04ede1be313be83c449a349cb1da61b43fe4b71
SHA256

9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b
SHA512

a8ffc320e3a7e864cf75d88f5ec0c3cc0e02bc244afc620dd5779a5c408c595eb1604b9b20c3f215181e580fc351a9e5c80f8d1b8a3111f80c3c714af26ba4ba
SSDEEP

24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8aA5QGfP5Fmf4nzUZrbZ8n:zTvC/MTQYxsWR7aASYmfcA/

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1036 set thread context of 2476	1036	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe	29
PID 2476 set thread context of 1436	2476	svchost.exe	20
PID 2476 set thread context of 2836	2476	svchost.exe	30
PID 2836 set thread context of 1436	2836	clip.exe	20

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clip.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2476	svchost.exe
2476	svchost.exe
2476	svchost.exe
2476	svchost.exe
2476	svchost.exe
2476	svchost.exe
2476	svchost.exe
2476	svchost.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe
2836	clip.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1036	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe
2476	svchost.exe
2476	svchost.exe
2836	clip.exe
2836	clip.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1036	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe
1036	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1036	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe
1036	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2476	1036	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe	29
PID 1036 wrote to memory of 2476	1036	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe	29
PID 1036 wrote to memory of 2476	1036	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe	29
PID 1036 wrote to memory of 2476	1036	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe	29
PID 1036 wrote to memory of 2476	1036	9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe	29
PID 2476 wrote to memory of 2836	2476	svchost.exe	30
PID 2476 wrote to memory of 2836	2476	svchost.exe	30
PID 2476 wrote to memory of 2836	2476	svchost.exe	30
PID 2476 wrote to memory of 2836	2476	svchost.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1436
- C:\Users\Admin\AppData\Local\Temp\9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe
  "C:\Users\Admin\AppData\Local\Temp\9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\9b8a53cada45aaa02c1a0917fcaaccf94239941161989602fa6c2ed81b4f539b.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\clip.exe
      "C:\Windows\SysWOW64\clip.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\corynteria

Filesize
264KB

MD5
30fbdd77d9b332ff9025d85c94abb7e1

SHA1
e891860b37e1adf3484a319d6d438f33c856ffa8

SHA256
8e7235e2c57214df8ecc8d845c8fe53173f8a116b530e17917085505cbf763df

SHA512
6add05d5c8c7b0b35d45e6c27abf537b40d89d6071644c76b511359517a6bc2c229ae684c3af01326651e644592ad6662f8bf9658899468d680ec402971a6657

Download Submit
memory/1036-12-0x00000000001A0000-0x00000000001A4000-memory.dmp

Filesize
16KB

Download
memory/1436-20-0x0000000009CE0000-0x000000000ADAC000-memory.dmp

Filesize
16.8MB

Download
memory/2476-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-19-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/2476-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-15-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

Filesize
3.0MB

Download
memory/2476-24-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/2836-22-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2836-21-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2836-25-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/2836-26-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2836-28-0x00000000007D0000-0x0000000000874000-memory.dmp

Filesize
656KB

Download
memory/2836-29-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing