52404a0302dcc2eb1ce8204bf5f75738709011fed624c731fd8eae340f215c1a

General

Target

98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
Size

3.7MB
MD5

188f24d52a3f17cf472f0b7860612c58
SHA1

0fec989f098085c68be25fc48d366808aaac610a
SHA256

98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7
SHA512

bd359f6061810c361d61e023b60ee4c9143216c40bd89ca8c38a02f8a19ea325998dc7f0e7cfed4c948b80215b973cb54bb9209d067f09233a5084c79ced8356
SSDEEP

98304:cVOXXUzpyl/iMcLtN4LS8dHxbuBTYoVXKhyRH0BwMX:0Vzpl4L7dHjo4hyRH7+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1292	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
2752	scr_previw.exe
2644	scr_previw.exe

Loads dropped DLL 7 IoCs

pid	Process
1864	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
1292	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
1292	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
2752	scr_previw.exe
2752	scr_previw.exe
2644	scr_previw.exe
2720	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 2720	2644	scr_previw.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scr_previw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scr_previw.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2752	scr_previw.exe
2644	scr_previw.exe
2644	scr_previw.exe
2720	cmd.exe
2720	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2644	scr_previw.exe
2720	cmd.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1292	1864	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	30
PID 1864 wrote to memory of 1292	1864	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	30
PID 1864 wrote to memory of 1292	1864	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	30
PID 1864 wrote to memory of 1292	1864	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	30
PID 1292 wrote to memory of 2752	1292	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	32
PID 1292 wrote to memory of 2752	1292	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	32
PID 1292 wrote to memory of 2752	1292	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	32
PID 1292 wrote to memory of 2752	1292	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	32
PID 2752 wrote to memory of 2644	2752	scr_previw.exe	33
PID 2752 wrote to memory of 2644	2752	scr_previw.exe	33
PID 2752 wrote to memory of 2644	2752	scr_previw.exe	33
PID 2752 wrote to memory of 2644	2752	scr_previw.exe	33
PID 2644 wrote to memory of 2720	2644	scr_previw.exe	34
PID 2644 wrote to memory of 2720	2644	scr_previw.exe	34
PID 2644 wrote to memory of 2720	2644	scr_previw.exe	34
PID 2644 wrote to memory of 2720	2644	scr_previw.exe	34
PID 2644 wrote to memory of 2720	2644	scr_previw.exe	34
PID 2720 wrote to memory of 1964	2720	cmd.exe	36
PID 2720 wrote to memory of 1964	2720	cmd.exe	36
PID 2720 wrote to memory of 1964	2720	cmd.exe	36
PID 2720 wrote to memory of 1964	2720	cmd.exe	36
PID 2720 wrote to memory of 1964	2720	cmd.exe	36
PID 2720 wrote to memory of 1964	2720	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
"C:\Users\Admin\AppData\Local\Temp\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\TEMP\{F11F4605-478A-4772-A024-61705F08686A}\.cr\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
  "C:\Windows\TEMP\{F11F4605-478A-4772-A024-61705F08686A}\.cr\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe" -burn.filehandle.attached=216 -burn.filehandle.self=212
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\TEMP\{BE42EA96-6CE0-49B8-A04A-157E5654446E}\.ba\scr_previw.exe
    "C:\Windows\TEMP\{BE42EA96-6CE0-49B8-A04A-157E5654446E}\.ba\scr_previw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Roaming\makeAdvancedQGU\scr_previw.exe
      C:\Users\Admin\AppData\Roaming\makeAdvancedQGU\scr_previw.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4f419550

Filesize
856KB

MD5
f4f4f307865befaef542a80e8a625661

SHA1
7c237ba6cf1911375db8beea69ae1c4a3698f470

SHA256
a9be44206fa3f3efb64c63e325997c8ab5b4b091ce8ac5ce05ba94ee41f6ba02

SHA512
276319a681d3e3db08d679cad0560d3e80f2a3b4bf9cec0a1ce20120ce6e687c279f16d12c8638161a6ea08d344e77e31102344750b706c45a5fa8021da3857a

Download Submit
C:\Windows\TEMP\{BE42EA96-6CE0-49B8-A04A-157E5654446E}\.ba\delr

Filesize
66KB

MD5
d287578542c8e1042e228ff517584d62

SHA1
b496c8c0ee89e3ee3d86e99b22b0cc6a4518c8a6

SHA256
5e12046a7555aa5259703ed6910fbc969826dafdcde848fad710eb952960718c

SHA512
3c1015bbbd54d7960e800eb5a55e40e31670c91a2b63e9521cb73314bf9d10d535ee3b37fbf1cd83a46037cb128682f5eafbb873b1001ed07d92b9adf049415b

Download Submit
C:\Windows\TEMP\{BE42EA96-6CE0-49B8-A04A-157E5654446E}\.ba\mhtb

Filesize
614KB

MD5
78bd91f9ad6c1a9813fca8bd17329bbe

SHA1
64a2ad004e23ccfd7325618e7f4d2be303bf71bd

SHA256
36c4e6886ff20758e6fcdc83a0714961a3454b861b2db1a8c7001f3f0fa06833

SHA512
8927b01237f05ca91117e1d0d06c906ff723d9a917b337594b3092999d8808febfca5a27f9e860027d9d832ef1f770aceda714217bfe101bb2ec064c7b3d6437

Download Submit
\Windows\Temp\{BE42EA96-6CE0-49B8-A04A-157E5654446E}\.ba\Artifice.dll

Filesize
526KB

MD5
edffaeecf1d2be26df6ca2e455030dad

SHA1
1e9e96910d2599ae2c3ace86780236fa6801397d

SHA256
843cb536456a0bdf78dfcfd04a45575f0b2b231e12c8a26085437712f121fa4c

SHA512
74626114a098af8c384bbcc162e569c10b8cba32fe26b48080322cc7f5701e3fd6a7b8a5bc52fe628a110d4dbaf3bccfc1691d799c75003793519e0d962d1be9

Download Submit
\Windows\Temp\{BE42EA96-6CE0-49B8-A04A-157E5654446E}\.ba\d3dx9_43.dll

Filesize
1.9MB

MD5
d0253aed34e4ed3c60b00a238edac4c9

SHA1
151c0e2832cb0437bcec96ef0310de6cf5584358

SHA256
790fde0ac7273303db48f501789370b0f2918d24381c9d4fca5d6f63e81a1241

SHA512
76d7a2f65f5ace8678a03479903667729cfa468c4aa1f7501dbb3dff110544786a19758de5f98a553cd9ea088cbe03dda9cb215401e9b037cf5ce0eebd463972

Download Submit
\Windows\Temp\{BE42EA96-6CE0-49B8-A04A-157E5654446E}\.ba\scr_previw.exe

Filesize
2.2MB

MD5
d9530ecee42acccfd3871672a511bc9e

SHA1
89b4d2406f1294bd699ef231a4def5f495f12778

SHA256
81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280

SHA512
d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

Download Submit
\Windows\Temp\{F11F4605-478A-4772-A024-61705F08686A}\.cr\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe

Filesize
3.0MB

MD5
c90969b61fa601af3b7fa9b955f1133b

SHA1
3ffb38c61ef331cf0557cdc18819cc192d565ab7

SHA256
0c71659a7e9f2a16be4252a166ac7d9bc75177a3f531f03ea91b3851ae819915

SHA512
bb8ffdec9d17f74306fed12a221a7c04bffb8bb931f354471222b315b553da983aa32347fac4304ba32fe67a3c8ab020435e621acec21288212a77fa585909b2

Download Submit
memory/1964-99-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/1964-98-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/1964-94-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/1964-93-0x0000000077560000-0x0000000077709000-memory.dmp

Filesize
1.7MB

Download
memory/2644-40-0x0000000074850000-0x00000000749C4000-memory.dmp

Filesize
1.5MB

Download
memory/2644-42-0x0000000074850000-0x00000000749C4000-memory.dmp

Filesize
1.5MB

Download
memory/2644-41-0x0000000077560000-0x0000000077709000-memory.dmp

Filesize
1.7MB

Download
memory/2720-45-0x0000000077560000-0x0000000077709000-memory.dmp

Filesize
1.7MB

Download
memory/2720-91-0x0000000074850000-0x00000000749C4000-memory.dmp

Filesize
1.5MB

Download
memory/2752-25-0x0000000077560000-0x0000000077709000-memory.dmp

Filesize
1.7MB

Download
memory/2752-24-0x0000000074310000-0x0000000074484000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing