0487fca7b6fdf3fb700ea249b146d56c5ab2d2b81ed0b055986fe715b5a96e2c

General

Target

a4cdebb3fb9389844ad4ddf1705d7b00N.exe
Size

2.1MB
MD5

a4cdebb3fb9389844ad4ddf1705d7b00
SHA1

db2d31b2645c67cab55fd2358f943af0c59daac1
SHA256

0487fca7b6fdf3fb700ea249b146d56c5ab2d2b81ed0b055986fe715b5a96e2c
SHA512

a37de4ce44cab5bede856d2afa0a6872472aa32f8d39166f917fe302c2f9a35101061ced1f4fddae527de656ea24e7eeb159b18f6d4d1a6edd03ad2c6a6c16a6
SSDEEP

24576:vtWuGvmxMhee5z1mqQp8qKs59YEkYaCLlJ9AMDt8jn+fvD2LgJstqtK2Kwc:1pxxMg6mWEkYlZJ9AQt8z0i3qt

Score

6^/10

discovery

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	a4cdebb3fb9389844ad4ddf1705d7b00N.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast\Version	a4cdebb3fb9389844ad4ddf1705d7b00N.tmp

Executes dropped EXE 1 IoCs

pid	Process
1648	a4cdebb3fb9389844ad4ddf1705d7b00N.tmp

Loads dropped DLL 3 IoCs

pid	Process
2172	a4cdebb3fb9389844ad4ddf1705d7b00N.exe
1648	a4cdebb3fb9389844ad4ddf1705d7b00N.tmp
1648	a4cdebb3fb9389844ad4ddf1705d7b00N.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4cdebb3fb9389844ad4ddf1705d7b00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4cdebb3fb9389844ad4ddf1705d7b00N.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1648	a4cdebb3fb9389844ad4ddf1705d7b00N.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1648	2172	a4cdebb3fb9389844ad4ddf1705d7b00N.exe	29
PID 2172 wrote to memory of 1648	2172	a4cdebb3fb9389844ad4ddf1705d7b00N.exe	29
PID 2172 wrote to memory of 1648	2172	a4cdebb3fb9389844ad4ddf1705d7b00N.exe	29
PID 2172 wrote to memory of 1648	2172	a4cdebb3fb9389844ad4ddf1705d7b00N.exe	29
PID 2172 wrote to memory of 1648	2172	a4cdebb3fb9389844ad4ddf1705d7b00N.exe	29
PID 2172 wrote to memory of 1648	2172	a4cdebb3fb9389844ad4ddf1705d7b00N.exe	29
PID 2172 wrote to memory of 1648	2172	a4cdebb3fb9389844ad4ddf1705d7b00N.exe	29

C:\Users\Admin\AppData\Local\Temp\a4cdebb3fb9389844ad4ddf1705d7b00N.exe
"C:\Users\Admin\AppData\Local\Temp\a4cdebb3fb9389844ad4ddf1705d7b00N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\is-L72AT.tmp\a4cdebb3fb9389844ad4ddf1705d7b00N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-L72AT.tmp\a4cdebb3fb9389844ad4ddf1705d7b00N.tmp" /SL5="$401AC,1326512,906752,C:\Users\Admin\AppData\Local\Temp\a4cdebb3fb9389844ad4ddf1705d7b00N.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-ECDH3.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-ECDH3.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-L72AT.tmp\a4cdebb3fb9389844ad4ddf1705d7b00N.tmp

Filesize
3.1MB

MD5
d3b07f5966c17d78fe6dc438a9d6eb1c

SHA1
7633a58125a489b0de6bd7fa91002853dd74aed8

SHA256
481758cbeec8c7acb4952b1b5e9c38ec1837ec2a75bdace97a25037d7b10a98a

SHA512
201955e8add455c050b660e9b9ddd0516be9069dbf016d2fa49a38954f137ab49c028c4d426fad169b35292c9d997226cdf30a89fce53e4e845aa9c53d73e4f0

Download Submit
memory/1648-8-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/1648-15-0x0000000002650000-0x000000000268C000-memory.dmp

Filesize
240KB

Download
memory/1648-20-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/2172-2-0x0000000000401000-0x00000000004BA000-memory.dmp

Filesize
740KB

Download
memory/2172-0-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2172-19-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing