13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e

General

Target

13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
Size

1.5MB
MD5

180ad8fe3294d5cbf1508f3576c70f1c
SHA1

831c8ef7b3efedae003526a87139e806c713ed24
SHA256

13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e
SHA512

d5a7ece40082978640d886b33729255c4b47a3bac6fac1973eb475599bf3c79795b2314dd4ae6c87685c56a0c9f9990a42a61d0ba9482be81489fae48900933c
SSDEEP

24576:qIgqdRkAM4OF+PMwrSVlbmfDYkhDvGtjXtGUAF9kJ7MqudghfEuCj0hThiHHxlhg:qIeMw6kbQlYSRUT7ofIlohsgm

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EXE.lnk	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe

Executes dropped EXE 1 IoCs

pid	Process
208	EXE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXE.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3028	cmd.exe
876	PING.EXE
1956	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
876	PING.EXE
1956	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
208	EXE.exe
208	EXE.exe
208	EXE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
Token: SeDebugPrivilege	208	EXE.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 3028	4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe	98
PID 4724 wrote to memory of 3028	4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe	98
PID 4724 wrote to memory of 3028	4724	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe	98
PID 3028 wrote to memory of 876	3028	cmd.exe	100
PID 3028 wrote to memory of 876	3028	cmd.exe	100
PID 3028 wrote to memory of 876	3028	cmd.exe	100
PID 3028 wrote to memory of 1956	3028	cmd.exe	103
PID 3028 wrote to memory of 1956	3028	cmd.exe	103
PID 3028 wrote to memory of 1956	3028	cmd.exe	103
PID 3028 wrote to memory of 208	3028	cmd.exe	112
PID 3028 wrote to memory of 208	3028	cmd.exe	112
PID 3028 wrote to memory of 208	3028	cmd.exe	112
PID 208 wrote to memory of 1416	208	EXE.exe	116
PID 208 wrote to memory of 1416	208	EXE.exe	116
PID 208 wrote to memory of 1416	208	EXE.exe	116
PID 208 wrote to memory of 1416	208	EXE.exe	116
PID 208 wrote to memory of 1416	208	EXE.exe	116
PID 208 wrote to memory of 1416	208	EXE.exe	116
PID 208 wrote to memory of 1416	208	EXE.exe	116
PID 208 wrote to memory of 1416	208	EXE.exe	116

C:\Users\Admin\AppData\Local\Temp\13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
"C:\Users\Admin\AppData\Local\Temp\13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\Admin\AppData\Local\Temp\13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe" "C:\Users\Admin\AppData\Roaming\EXE.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\Admin\AppData\Roaming\EXE.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 41
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:876
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 41
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1956
- - C:\Users\Admin\AppData\Roaming\EXE.exe
    "C:\Users\Admin\AppData\Roaming\EXE.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EXE.exe

Filesize
1.5MB

MD5
180ad8fe3294d5cbf1508f3576c70f1c

SHA1
831c8ef7b3efedae003526a87139e806c713ed24

SHA256
13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e

SHA512
d5a7ece40082978640d886b33729255c4b47a3bac6fac1973eb475599bf3c79795b2314dd4ae6c87685c56a0c9f9990a42a61d0ba9482be81489fae48900933c

Download Submit
memory/208-25-0x0000000006C90000-0x0000000006C96000-memory.dmp

Filesize
24KB

Download
memory/208-24-0x0000000006B10000-0x0000000006B2A000-memory.dmp

Filesize
104KB

Download
memory/208-23-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/208-22-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/208-21-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/208-20-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/208-19-0x00000000005A0000-0x0000000000722000-memory.dmp

Filesize
1.5MB

Download
memory/4724-6-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-10-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/4724-11-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-13-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-9-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-7-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

Filesize
40KB

Download
memory/4724-5-0x0000000004E10000-0x0000000004EAE000-memory.dmp

Filesize
632KB

Download
memory/4724-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/4724-4-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/4724-3-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download
memory/4724-2-0x0000000004C30000-0x0000000004CCC000-memory.dmp

Filesize
624KB

Download
memory/4724-1-0x00000000004B0000-0x0000000000632000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads