d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41

General

Target

d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
Size

2.7MB
MD5

ac3ab242cda9abd60b9b5bce92c201c0
SHA1

ad05cec66b8471ba6fad3afb7a2dc16215000555
SHA256

d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41
SHA512

4965150d36702e824bf9e7ea6b350fcc2ddddc5bdeed05b2d617fc22df3d9b639c73fc648d490d35261e65285842f8ed9eff2d61b8b4be462f02bcfe7ba12113
SSDEEP

49152:9YyT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:ZTE66yXZ02DwUHoazRofxIhELjf/IVgs

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2824	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	Arleen Rosalinda.exe

Loads dropped DLL 6 IoCs

pid	Process
2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2640	2160	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Arleen Rosalinda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2824	cmd.exe
3052	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3052	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
2160	Arleen Rosalinda.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
Token: SeIncBasePriorityPrivilege	2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
Token: SeDebugPrivilege	2160	Arleen Rosalinda.exe
Token: SeIncBasePriorityPrivilege	2160	Arleen Rosalinda.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2160	2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	31
PID 2516 wrote to memory of 2160	2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	31
PID 2516 wrote to memory of 2160	2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	31
PID 2516 wrote to memory of 2160	2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	31
PID 2516 wrote to memory of 2824	2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	32
PID 2516 wrote to memory of 2824	2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	32
PID 2516 wrote to memory of 2824	2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	32
PID 2516 wrote to memory of 2824	2516	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	32
PID 2824 wrote to memory of 3052	2824	cmd.exe	34
PID 2824 wrote to memory of 3052	2824	cmd.exe	34
PID 2824 wrote to memory of 3052	2824	cmd.exe	34
PID 2824 wrote to memory of 3052	2824	cmd.exe	34
PID 2160 wrote to memory of 2640	2160	Arleen Rosalinda.exe	35
PID 2160 wrote to memory of 2640	2160	Arleen Rosalinda.exe	35
PID 2160 wrote to memory of 2640	2160	Arleen Rosalinda.exe	35
PID 2160 wrote to memory of 2640	2160	Arleen Rosalinda.exe	35

C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
"C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\Arleen Rosalinda.exe
  "C:\Users\Admin\AppData\Local\Temp\Arleen Rosalinda.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 848
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Arleen Rosalinda.exe

Filesize
2.7MB

MD5
ea2bf0f98e449a2c59dff1f9fb09af97

SHA1
53cbbfd14a001acea01c7238889ae85655f53916

SHA256
816e85cc6582042f1474be9825bb38ec7d861ed77302e54240f718a71ede9b4f

SHA512
fa9424728ce18b1beaf967853d1aa6ed98b67e42f9ba1f8ea94ee1a4133ea125c277366ad532ddc652a468991c1bb9a380eed42a02476f07b60cc16a0e31dab6

Download Submit
\Users\Admin\AppData\Local\Temp\Arleen Rosalinda.exe

Filesize
2.7MB

MD5
c030475d0b475bb229d909ec7f2453ff

SHA1
cb4faf1181ee06447eed1c23fe59f16fe4d241d6

SHA256
081087f86099e6b85f57a4a7f71d355d6be40155c770f5bdee7fc86662b22454

SHA512
9683eaf0c00482fdfc05d2623f5ae23427a4934bc5b4e24a820484491fdfe279f6a0183cba957f1564d62c792975bf279f837914554e93ca0f3cc612f4dde9d3

Download Submit
memory/2160-29-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-30-0x00000000003B0000-0x0000000000672000-memory.dmp

Filesize
2.8MB

Download
memory/2160-32-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-38-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-3-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-4-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-5-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-2-0x00000000070B0000-0x00000000072D4000-memory.dmp

Filesize
2.1MB

Download
memory/2516-1-0x0000000000880000-0x0000000000B42000-memory.dmp

Filesize
2.8MB

Download
memory/2516-0-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/2516-31-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads