dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f

General

Target

dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Size

3.7MB
MD5

2df36c0d9dbdbd723521a7a12e0f4239
SHA1

a4de30a0bb891d917cfd52111c88f1261dbf7a4c
SHA256

dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f
SHA512

c455225708baa8dc33a73a273503e58707b118ab9ca12946b4f99f9837dbc034ed03d218a3a8c8b42a6a0a6ec9e5f53d971a5b6b7ce79368a1452759a0f677d0
SSDEEP

98304:7hnN4T7AX2T/Ij2Keun3SkRgnxCoWVHK+cucGKL:7FuT7jT/O2sn3JRgnIlcGI

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2516	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
2516	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
2516	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
2516	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
2516	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
2516	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
2516	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
2516	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2516	dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe

C:\Users\Admin\AppData\Local\Temp\dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe
"C:\Users\Admin\AppData\Local\Temp\dd006e8c2cb25929f4388f9df5efdebd15160f79d65b7d661b2c98c6ba35ba1f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LSB7456.tmp

Filesize
15KB

MD5
9d5c845fec1983e26a1ab4f19b6f8a10

SHA1
1d67b30642c0d0e647d70f7da1c2b3e2332cdb8a

SHA256
6c7c730bd5e644ea2e7d04cee4f74d996ec64fd3b670fab918ae399b1ac5d723

SHA512
e226496d309ad7f896b62da7726ddbab579cea18739565538dda02eee6deff86c87da956558f92de4e31708322745d3dec0270523b43f1afbc93a7d4880d965f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LSB7457.tmp

Filesize
316KB

MD5
9dee66f3d3f507393ae713273555dbc6

SHA1
9c31d690e4c0c4e0aa599a20ba63ec3b9aca6a26

SHA256
17a65cf3751817383d723e299e2e386fb0b07a12e16a25460b98c7917a9f8b3d

SHA512
f9940d1e811fcec8cee6557382d7d9366d77ed233b1adc3e65f1806628f0669b4edb6580307990843ac798a0077f245fc9a25ac39796e0db8451da476803efaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\~SB757E.tmp

Filesize
3KB

MD5
f01f9a9b13725fedb9e67eaec69ed1d5

SHA1
21def9a9614f1fcadfeeb1672ae1945356f5c2ac

SHA256
98496d31a5aed312838338c77c003e4b7567a103a6090d9e0329bfb27b99f2b8

SHA512
407d70a9056c749dcf3d0a76047e4a18184516aab5762c194676d245009eee7463b114b56fcc29ca4ad96cc659dba80ce76f993eadb063f66077b1428bbf72a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~SB757F.tmp

Filesize
9KB

MD5
4650ae9be4ad7db580f120431a49bf73

SHA1
5570711d8ec84d233a2b03fe5497343cdaf4bf68

SHA256
09e3f4fe84e3f8317842eed7c19b8185417ee6522213ed07b780c2f85189bcd9

SHA512
20731cd107055694857cbcb1b9df51a2f2d613f8afc200f1f70e6010395ed65639fa7db16739e0b0bd2470802a674e64e7d9d782037e5b675e43ebca2639cc9a

Download Submit

Analysis

Sharing