edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a

General

Target

edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe
Size

1.2MB
MD5

6a2ea5172be0df919da383e58add9ae2
SHA1

62b7b92e8e04e9ab6ca23dda6ae0f59f561a99d0
SHA256

edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a
SHA512

a79145531acb91afdcc65c7c3241ab20b1798872d634d18028e5634bb26c5e43f8a4ed7a576648418a49bcfb93a30937714565cd4cf97158bf9e38b89f821651
SSDEEP

24576:Eid5SKN9efvgu2nGmLHoRyHsSUEjUCWMd2Q:EiuK4Yu23jxwhi

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe
2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2456	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	30
PID 2448 wrote to memory of 2456	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	30
PID 2448 wrote to memory of 2456	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	30
PID 2448 wrote to memory of 2456	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	30
PID 2456 wrote to memory of 2316	2456	cmd.exe	32
PID 2456 wrote to memory of 2316	2456	cmd.exe	32
PID 2456 wrote to memory of 2316	2456	cmd.exe	32
PID 2456 wrote to memory of 2316	2456	cmd.exe	32
PID 2448 wrote to memory of 2228	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	33
PID 2448 wrote to memory of 2228	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	33
PID 2448 wrote to memory of 2228	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	33
PID 2448 wrote to memory of 2228	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	33
PID 2228 wrote to memory of 2652	2228	cmd.exe	35
PID 2228 wrote to memory of 2652	2228	cmd.exe	35
PID 2228 wrote to memory of 2652	2228	cmd.exe	35
PID 2228 wrote to memory of 2652	2228	cmd.exe	35
PID 2448 wrote to memory of 2668	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	36
PID 2448 wrote to memory of 2668	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	36
PID 2448 wrote to memory of 2668	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	36
PID 2448 wrote to memory of 2668	2448	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	36
PID 2668 wrote to memory of 2784	2668	cmd.exe	38
PID 2668 wrote to memory of 2784	2668	cmd.exe	38
PID 2668 wrote to memory of 2784	2668	cmd.exe	38
PID 2668 wrote to memory of 2784	2668	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe
"C:\Users\Admin\AppData\Local\Temp\edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c fsutil usn queryjournal C: > C:\Users\Admin\AppData\Local\Temp\USNDATA.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil usn queryjournal C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c fsutil usn queryjournal D: > C:\Users\Admin\AppData\Local\Temp\USNDATA.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil usn queryjournal D:
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c fsutil usn queryjournal F: > C:\Users\Admin\AppData\Local\Temp\USNDATA.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil usn queryjournal F:
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\USNDATA.txt

Filesize
273B

MD5
22c27eb1a63b8977eb110de934045c8b

SHA1
558a3dbed2cd6d6b19bf75f1f55711f74e4d6722

SHA256
b4bf8da1704df791459594da4d4b2759346019708761c208902e258c1f900d13

SHA512
ec95d76eb9c8de30ed82d01104062ec42ee0945123825715c33531b20feb67bae00724e734ad3da450291eb5b38f8b073f74d577ffa5a5033ebad8762d57e4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\USNDATA.txt

Filesize
89B

MD5
78f12c7d92ea474afd7b6bbdde2e248f

SHA1
da2258224f64885e495b51e61e5af10690995d4b

SHA256
b2fa04eebfb3f452c8b7e2a33f89e07ddbdfba77760ae478d96b17c31bd8102d

SHA512
32531fc74e26f74513e456251dfb4bac1a88abae5486822952dacbc23243de277f214a36296adc47adc17935340e54d141f273d66744d688a33ee9dbe51e3479

Download Submit
C:\Users\Admin\AppData\Local\Temp\USNDATA.txt

Filesize
52B

MD5
b3dea1fb8216d6a254ce1f36bf964abf

SHA1
3e720f5fda9cac658857854257ec2cf148430ed9

SHA256
ad6ba3eea4fe1afa5eba8cc7d57fe3ad23702b6a0a665095b141a21aa626a2de

SHA512
613df17ddcdd038fa57ddfa1bd196947793e3926658eb539fb213105fa506c95f2e91870f213f86848c73a96035df6a6139ff24956892c24e63eb0fb4da5998e

Download Submit

Analysis

Sharing