98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7

General

Target

98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
Size

3.7MB
MD5

188f24d52a3f17cf472f0b7860612c58
SHA1

0fec989f098085c68be25fc48d366808aaac610a
SHA256

98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7
SHA512

bd359f6061810c361d61e023b60ee4c9143216c40bd89ca8c38a02f8a19ea325998dc7f0e7cfed4c948b80215b973cb54bb9209d067f09233a5084c79ced8356
SSDEEP

98304:cVOXXUzpyl/iMcLtN4LS8dHxbuBTYoVXKhyRH0BwMX:0Vzpl4L7dHjo4hyRH7+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2200	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
2752	scr_previw.exe
2576	scr_previw.exe

Loads dropped DLL 7 IoCs

pid	Process
2616	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
2200	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
2200	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
2752	scr_previw.exe
2752	scr_previw.exe
2576	scr_previw.exe
2036	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 2036	2576	scr_previw.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scr_previw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scr_previw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2752	scr_previw.exe
2576	scr_previw.exe
2576	scr_previw.exe
2036	cmd.exe
2036	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2576	scr_previw.exe
2036	cmd.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2200	2616	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	31
PID 2616 wrote to memory of 2200	2616	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	31
PID 2616 wrote to memory of 2200	2616	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	31
PID 2616 wrote to memory of 2200	2616	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	31
PID 2200 wrote to memory of 2752	2200	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	32
PID 2200 wrote to memory of 2752	2200	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	32
PID 2200 wrote to memory of 2752	2200	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	32
PID 2200 wrote to memory of 2752	2200	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	32
PID 2752 wrote to memory of 2576	2752	scr_previw.exe	33
PID 2752 wrote to memory of 2576	2752	scr_previw.exe	33
PID 2752 wrote to memory of 2576	2752	scr_previw.exe	33
PID 2752 wrote to memory of 2576	2752	scr_previw.exe	33
PID 2576 wrote to memory of 2036	2576	scr_previw.exe	34
PID 2576 wrote to memory of 2036	2576	scr_previw.exe	34
PID 2576 wrote to memory of 2036	2576	scr_previw.exe	34
PID 2576 wrote to memory of 2036	2576	scr_previw.exe	34
PID 2576 wrote to memory of 2036	2576	scr_previw.exe	34
PID 2036 wrote to memory of 1180	2036	cmd.exe	36
PID 2036 wrote to memory of 1180	2036	cmd.exe	36
PID 2036 wrote to memory of 1180	2036	cmd.exe	36
PID 2036 wrote to memory of 1180	2036	cmd.exe	36
PID 2036 wrote to memory of 1180	2036	cmd.exe	36
PID 2036 wrote to memory of 1180	2036	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
"C:\Users\Admin\AppData\Local\Temp\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\TEMP\{CB072C47-B420-4AAE-9749-51CC37945A1D}\.cr\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
  "C:\Windows\TEMP\{CB072C47-B420-4AAE-9749-51CC37945A1D}\.cr\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe" -burn.filehandle.attached=216 -burn.filehandle.self=212
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\TEMP\{4E87C434-71E4-45D0-81A8-E03FB650AFA0}\.ba\scr_previw.exe
    "C:\Windows\TEMP\{4E87C434-71E4-45D0-81A8-E03FB650AFA0}\.ba\scr_previw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Roaming\makeAdvancedQGU\scr_previw.exe
      C:\Users\Admin\AppData\Roaming\makeAdvancedQGU\scr_previw.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afdb37ed

Filesize
856KB

MD5
20ab0151b9e18fcb3dea0141f5154e7b

SHA1
143d5ec5484c4908d7f864d3dba4cb51587cabf5

SHA256
56821ad1ee371202ba13cb6dce2f6a0e64c04fc37c4594f3344257b673285a23

SHA512
ba42e5f9607a8f5b3351fde193dea84a9ce7e4a3cea6451b84a8eeec77911aab0f34577b287db6877ce5b2d9621d301ce784bd1e0e596ff276d9bd2d0fc8e815

Download Submit
C:\Windows\TEMP\{4E87C434-71E4-45D0-81A8-E03FB650AFA0}\.ba\delr

Filesize
66KB

MD5
d287578542c8e1042e228ff517584d62

SHA1
b496c8c0ee89e3ee3d86e99b22b0cc6a4518c8a6

SHA256
5e12046a7555aa5259703ed6910fbc969826dafdcde848fad710eb952960718c

SHA512
3c1015bbbd54d7960e800eb5a55e40e31670c91a2b63e9521cb73314bf9d10d535ee3b37fbf1cd83a46037cb128682f5eafbb873b1001ed07d92b9adf049415b

Download Submit
C:\Windows\TEMP\{4E87C434-71E4-45D0-81A8-E03FB650AFA0}\.ba\mhtb

Filesize
614KB

MD5
78bd91f9ad6c1a9813fca8bd17329bbe

SHA1
64a2ad004e23ccfd7325618e7f4d2be303bf71bd

SHA256
36c4e6886ff20758e6fcdc83a0714961a3454b861b2db1a8c7001f3f0fa06833

SHA512
8927b01237f05ca91117e1d0d06c906ff723d9a917b337594b3092999d8808febfca5a27f9e860027d9d832ef1f770aceda714217bfe101bb2ec064c7b3d6437

Download Submit
\Windows\Temp\{4E87C434-71E4-45D0-81A8-E03FB650AFA0}\.ba\Artifice.dll

Filesize
526KB

MD5
edffaeecf1d2be26df6ca2e455030dad

SHA1
1e9e96910d2599ae2c3ace86780236fa6801397d

SHA256
843cb536456a0bdf78dfcfd04a45575f0b2b231e12c8a26085437712f121fa4c

SHA512
74626114a098af8c384bbcc162e569c10b8cba32fe26b48080322cc7f5701e3fd6a7b8a5bc52fe628a110d4dbaf3bccfc1691d799c75003793519e0d962d1be9

Download Submit
\Windows\Temp\{4E87C434-71E4-45D0-81A8-E03FB650AFA0}\.ba\d3dx9_43.dll

Filesize
1.9MB

MD5
d0253aed34e4ed3c60b00a238edac4c9

SHA1
151c0e2832cb0437bcec96ef0310de6cf5584358

SHA256
790fde0ac7273303db48f501789370b0f2918d24381c9d4fca5d6f63e81a1241

SHA512
76d7a2f65f5ace8678a03479903667729cfa468c4aa1f7501dbb3dff110544786a19758de5f98a553cd9ea088cbe03dda9cb215401e9b037cf5ce0eebd463972

Download Submit
\Windows\Temp\{4E87C434-71E4-45D0-81A8-E03FB650AFA0}\.ba\scr_previw.exe

Filesize
2.2MB

MD5
d9530ecee42acccfd3871672a511bc9e

SHA1
89b4d2406f1294bd699ef231a4def5f495f12778

SHA256
81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280

SHA512
d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

Download Submit
\Windows\Temp\{CB072C47-B420-4AAE-9749-51CC37945A1D}\.cr\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe

Filesize
3.0MB

MD5
c90969b61fa601af3b7fa9b955f1133b

SHA1
3ffb38c61ef331cf0557cdc18819cc192d565ab7

SHA256
0c71659a7e9f2a16be4252a166ac7d9bc75177a3f531f03ea91b3851ae819915

SHA512
bb8ffdec9d17f74306fed12a221a7c04bffb8bb931f354471222b315b553da983aa32347fac4304ba32fe67a3c8ab020435e621acec21288212a77fa585909b2

Download Submit
memory/1180-99-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1180-98-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1180-94-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1180-93-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/2036-45-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/2036-91-0x00000000745E0000-0x0000000074754000-memory.dmp

Filesize
1.5MB

Download
memory/2576-42-0x00000000745E0000-0x0000000074754000-memory.dmp

Filesize
1.5MB

Download
memory/2576-41-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/2576-40-0x00000000745E0000-0x0000000074754000-memory.dmp

Filesize
1.5MB

Download
memory/2752-25-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/2752-24-0x0000000073C40000-0x0000000073DB4000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing