314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208

General

Target

314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Size

923KB
MD5

f3d8bf428edea7e23d8462bb7b11b38d
SHA1

f76f09f2cbd7d7ebcdc22cbe2690c38c5ec47e70
SHA256

314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208
SHA512

d055f214b9699ab6ab4735a0f643a4b119e5519c7cf0714ff6e36969a18e557a922e71eebd586874c1bf0af39fe98d4543f68b2bae9c30ffbb5e004bf4b8cf64
SSDEEP

24576:hzB2mCd+xfIGh2N8Zg/CJSEj+Eon9YNJzQ:hsmCjGh2Nmj+Bn2JU

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c00310000000000e5582b6b10204c6f63616c00380008000400efbee558ce69e5582b6b2a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c00434653461600310000000000e558ce69122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbee558ce69e558ce692a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000042000000	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a003100000000000b59cf45102054656d700000360008000400efbee558ce690b59cf452a00000001020000000002000000000000000000000000000000540065006d007000000014000000	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1736	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1736	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
1736	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
1736	314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe

C:\Users\Admin\AppData\Local\Temp\314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe
"C:\Users\Admin\AppData\Local\Temp\314ea62675263f9e72b81e9e02d1184903753cdd938a071bf6d45b9e38982208.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1736-0-0x0000000003C30000-0x0000000003C32000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing