fe7788e0c5946b262f10251f2efd1e53786b5552ef7bbff9fe2e8d4ba2a7d46c

General

Target

MTracer.exe
Size

228KB
MD5

eb3967cbe8d3606bbf9bad3e7513a3f5
SHA1

f5a2fe4f7d846353db2da49d484c6be5fabf20ee
SHA256

d79916129a74175edcc93b30d1a7a14f2f0c996098a4223b73678d26402181db
SHA512

381ae970265537150c119201c27c7043376a9df197d42ab3b88d0ec675094c1057b673eb883263fdb1b26dfdd70ffccb9c6c80ac6e664f13a6f579e62c7c5a45
SSDEEP

6144:rnqy8DFFZ8GbleI/4PkT98gWNlPTGQQm6agrdb:6/Z8MleI/4PkaNtTird

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MTracer.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}	MTracer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\TypeLib	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\TypeLib\ = "{63F51DB7-7E24-376F-F6EA-E5DAECD5826E}"	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\VersionIndependentProgID\ = "WMSClientNetManager.ClientNetManager"	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\ = "Evexibew Girini Ebemiw object"	MTracer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\ProgID	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\ProgID\	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\ProgID\ = "WMSClientNetManager.ClientNetManager.1"	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\TypeLib\	MTracer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\Version	MTracer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\VersionIndependentProgID	MTracer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\InprocServer32	MTracer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63F51DB7-7E24-376F-F6EA-E5DAECD5826E}	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63F51DB7-7E24-376F-F6EA-E5DAECD5826E}\	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\Version\	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\Version\ = "1.0"	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\VersionIndependentProgID\	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\InprocServer32\	MTracer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EE1EE74-9B2C-4560-708E-EC8C9682F772}\InprocServer32\ = "C:\\Windows\\SysWOW64\\WMNetMgr.dll"	MTracer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4856	MTracer.exe
4856	MTracer.exe

C:\Users\Admin\AppData\Local\Temp\MTracer.exe
"C:\Users\Admin\AppData\Local\Temp\MTracer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4856-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-1-0x00000000022B0000-0x00000000022F3000-memory.dmp

Filesize
268KB

Download
memory/4856-8-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4856-7-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4856-6-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/4856-11-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4856-12-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4856-9-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4856-5-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4856-4-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/4856-3-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4856-2-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4856-10-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/4856-13-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4856-15-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4856-14-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4856-19-0x00000000022B0000-0x00000000022F3000-memory.dmp

Filesize
268KB

Download
memory/4856-18-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4856-17-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/4856-16-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-20-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-21-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-22-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-23-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-24-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-25-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-26-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-27-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-28-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-29-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-30-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-31-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-32-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4856-33-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing