58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd

General

Target

58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe
Size

246KB
MD5

d7a82d875706d57720b3a35ea797290d
SHA1

9dbc048de8ea29ab951b08341fd141dcd317f78f
SHA256

58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd
SHA512

f8ecd8c34a84448291d99f0135811da9dedeb7aea6a25db19aa98ce6b4f9366959a57409f4549bb7d93678d6a4d35657822725227741b9e3d289b4526bfae2d8
SSDEEP

6144:FMooVQnnOBccnskYPmTpUxrr1XRA7WHxWoN+J0EafCUSYibN6WG8M:+QnO/s1mTpG5bUo4bafVibv3M

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-2-0x0000000000400000-0x0000000001C5B000-memory.dmp	upx
behavioral1/memory/3012-1-0x0000000000400000-0x0000000001C5B000-memory.dmp	upx
behavioral1/memory/3012-6-0x0000000000400000-0x0000000001C5B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2776	PING.EXE
652	cmd.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2740	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2776	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 652	3012	58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe	29
PID 3012 wrote to memory of 652	3012	58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe	29
PID 3012 wrote to memory of 652	3012	58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe	29
PID 3012 wrote to memory of 652	3012	58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe	29
PID 652 wrote to memory of 2740	652	cmd.exe	31
PID 652 wrote to memory of 2740	652	cmd.exe	31
PID 652 wrote to memory of 2740	652	cmd.exe	31
PID 652 wrote to memory of 2740	652	cmd.exe	31
PID 652 wrote to memory of 2776	652	cmd.exe	34
PID 652 wrote to memory of 2776	652	cmd.exe	34
PID 652 wrote to memory of 2776	652	cmd.exe	34
PID 652 wrote to memory of 2776	652	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe
"C:\Users\Admin\AppData\Local\Temp\58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c systeminfo>>C:\Windows\temp\setup_gitlog.txt&ping 8.8.8.8>>C:\Windows\temp\setup_gitlog.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers system information
    PID:2740
- - C:\Windows\SysWOW64\PING.EXE
    ping 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp\setup_gitlog.txt

Filesize
33B

MD5
346bbdef8e66561ce4c33013160d7c75

SHA1
023e40d5eb04b2d7e8346ea0c9a62b05d372abec

SHA256
ce357dc9d96cbb6933f7895d5fee9052b72733c2db9fc32b1555761b1bd0c277

SHA512
f2fd0412846455ee0f47f9e88192ea4c6ee60c3118be40a44c9b626566652ed46b1c3a0708a7ec6feba7a9cafc61091a2a1c6cb864a99a081bb842625040594f

Download Submit
memory/3012-2-0x0000000000400000-0x0000000001C5B000-memory.dmp

Filesize
24.4MB

Download
memory/3012-1-0x0000000000400000-0x0000000001C5B000-memory.dmp

Filesize
24.4MB

Download
memory/3012-6-0x0000000000400000-0x0000000001C5B000-memory.dmp

Filesize
24.4MB

Download

Analysis

Sharing