d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41

General

Target

d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
Size

2.7MB
MD5

ac3ab242cda9abd60b9b5bce92c201c0
SHA1

ad05cec66b8471ba6fad3afb7a2dc16215000555
SHA256

d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41
SHA512

4965150d36702e824bf9e7ea6b350fcc2ddddc5bdeed05b2d617fc22df3d9b639c73fc648d490d35261e65285842f8ed9eff2d61b8b4be462f02bcfe7ba12113
SSDEEP

49152:9YyT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:ZTE66yXZ02DwUHoazRofxIhELjf/IVgs

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	Brigit Cho.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2800	2760	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Brigit Cho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3160	PING.EXE
4444	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3160	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2284	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
2284	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
2760	Brigit Cho.exe
2760	Brigit Cho.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
Token: SeIncBasePriorityPrivilege	2284	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
Token: SeDebugPrivilege	2760	Brigit Cho.exe
Token: SeIncBasePriorityPrivilege	2760	Brigit Cho.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2760	2284	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	91
PID 2284 wrote to memory of 2760	2284	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	91
PID 2284 wrote to memory of 2760	2284	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	91
PID 2284 wrote to memory of 4444	2284	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	92
PID 2284 wrote to memory of 4444	2284	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	92
PID 2284 wrote to memory of 4444	2284	d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe	92
PID 4444 wrote to memory of 3160	4444	cmd.exe	94
PID 4444 wrote to memory of 3160	4444	cmd.exe	94
PID 4444 wrote to memory of 3160	4444	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
"C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\Brigit Cho.exe
  "C:\Users\Admin\AppData\Local\Temp\Brigit Cho.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1568
    3⤵
    - Program crash
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2760 -ip 2760
1⤵
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Brigit Cho.exe

Filesize
2.7MB

MD5
86c9bf2d7575d19b48913603e8bb5dc1

SHA1
41bbdc31f69160727f177885757583de0e7f0317

SHA256
57c44c674ec135d46ecd358a4d8bab8797056b14bc1a13bf91dc209da06e9e7e

SHA512
ea0f5ae99f3894150d914c73c7f007c08978467993f2a2add17eb7dfe03a39b825e26db34e6d239ff2066511dbd9c6cd95d595544215323d15a6e8dd02f06d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brigit Cho.exe

Filesize
2.7MB

MD5
e49f48ad9f5c81e6b99827c9975f9715

SHA1
e44c4ef33cc43df566c7c8711fa586153fd6bece

SHA256
0c6e7b3b8583db3ce1a1a11bd9d35451ca7a943c71436275ad03ddf2689a4f5d

SHA512
a0f944890c619a54ab10ff9fad2966587add119b1d41cdacde4fbbd394d5466a40613bf8c785adbfc1aa35cbb347a265ae994f4ea54573a29329ab53fa084de7

Download Submit
memory/2284-8-0x000000000E310000-0x000000000E376000-memory.dmp

Filesize
408KB

Download
memory/2284-9-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2284-4-0x000000000B3D0000-0x000000000B974000-memory.dmp

Filesize
5.6MB

Download
memory/2284-5-0x000000000AEC0000-0x000000000AF52000-memory.dmp

Filesize
584KB

Download
memory/2284-6-0x000000000B360000-0x000000000B36A000-memory.dmp

Filesize
40KB

Download
memory/2284-7-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2284-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/2284-3-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2284-2-0x0000000007C00000-0x0000000007E24000-memory.dmp

Filesize
2.1MB

Download
memory/2284-1-0x00000000002C0000-0x0000000000582000-memory.dmp

Filesize
2.8MB

Download
memory/2284-37-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2760-38-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2760-39-0x0000000000900000-0x0000000000BC2000-memory.dmp

Filesize
2.8MB

Download
memory/2760-40-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2760-41-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads