7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb

General

Target

7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe
Size

2.6MB
MD5

994412d860e5e5ef76d158af6bb7348c
SHA1

a02d3bac1da20020e272222128059442df4c80bf
SHA256

7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb
SHA512

17f74f0a5378e17144c3a0e9be6a2ac2cf6508bf0b3911741c3deff0643a0e65b4625001ea0a1830eba2d9d382ea511ec5b524c452363f9b9e0c4ce4c8cb729f
SSDEEP

49152:qavuXKFWbBCG93qC64NK6G1+ffk6AhjVzTLELdp5TjApRZS:LaKFW0G9aIkOf5Ah5sRXPeY

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2764	update.exe
1536	CrazyCoach.exe
1616	update.exe

Loads dropped DLL 15 IoCs

pid	Process
1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe
1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe
2764	update.exe
2764	update.exe
2764	update.exe
2764	update.exe
2764	update.exe
1536	CrazyCoach.exe
1536	CrazyCoach.exe
1536	CrazyCoach.exe
1536	CrazyCoach.exe
1536	CrazyCoach.exe
1616	update.exe
1616	update.exe
1616	update.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrazyCoach.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe
1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe
1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe
2764	update.exe
2764	update.exe
1536	CrazyCoach.exe
1536	CrazyCoach.exe
1536	CrazyCoach.exe
1616	update.exe
1616	update.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2764	1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe	32
PID 1772 wrote to memory of 2764	1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe	32
PID 1772 wrote to memory of 2764	1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe	32
PID 1772 wrote to memory of 2764	1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe	32
PID 1772 wrote to memory of 2764	1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe	32
PID 1772 wrote to memory of 2764	1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe	32
PID 1772 wrote to memory of 2764	1772	7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe	32
PID 2764 wrote to memory of 1536	2764	update.exe	34
PID 2764 wrote to memory of 1536	2764	update.exe	34
PID 2764 wrote to memory of 1536	2764	update.exe	34
PID 2764 wrote to memory of 1536	2764	update.exe	34
PID 2764 wrote to memory of 1536	2764	update.exe	34
PID 2764 wrote to memory of 1536	2764	update.exe	34
PID 2764 wrote to memory of 1536	2764	update.exe	34
PID 1536 wrote to memory of 1616	1536	CrazyCoach.exe	35
PID 1536 wrote to memory of 1616	1536	CrazyCoach.exe	35
PID 1536 wrote to memory of 1616	1536	CrazyCoach.exe	35
PID 1536 wrote to memory of 1616	1536	CrazyCoach.exe	35
PID 1536 wrote to memory of 1616	1536	CrazyCoach.exe	35
PID 1536 wrote to memory of 1616	1536	CrazyCoach.exe	35
PID 1536 wrote to memory of 1616	1536	CrazyCoach.exe	35

C:\Users\Admin\AppData\Local\Temp\7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe
"C:\Users\Admin\AppData\Local\Temp\7d5ef7dc322506b77ee8f56e87eaa3852b9b085be22eb56738cb585724c78bbb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\update.exe
  C:\Users\Admin\AppData\Local\Temp\update.exe 1772
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\CrazyCoach.exe
    C:\Users\Admin\AppData\Local\Temp\CrazyCoach.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\update.exe
      C:\Users\Admin\AppData\Local\Temp\update.exe 1536
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data.sdb

Filesize
13KB

MD5
84cac8915c284540d8d908640042cdb4

SHA1
0f2f60afc409039377fa7f091e5b87de43e3aa8a

SHA256
a88343e05e285fd3845b5e36ed5132453861f457690129d3ffe2a443ea78ccdf

SHA512
400cc0f9f708a34c9ec4910a910a0a44f05647fec05024c218b01a401a053d12bf7cc0c270037214e499951189fd80cddbfbbe335022048ab34656316ce2ffea

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ini

Filesize
87B

MD5
5fa262f40c37d3b9cacbfa88ae1a95d5

SHA1
9a1b173da1f2aa656ccc8969edd5fb20465ce4c3

SHA256
9fd8b00efc9c07f3e6d77904c629f213476a270890e46a8b29ed81e47e60f322

SHA512
bc59071419244d2dcb774662c09b4a2a529fa0d91bea0152baebfcede0ec983d060a9640e0af314e1c9b50cdb13a5018cb8c1076a793a78b5c57ef55b415d349

Download Submit
\Users\Admin\AppData\Local\Temp\CrazyCoach.exe

Filesize
2.6MB

MD5
b3838692b428c96dd6c5e3eb6dccbe3d

SHA1
21ef2ae1770dd6005560b98a61f3d7b4752052ed

SHA256
d4990ca93a1e74464a03ed6b7db8ca6405da9002a8b4ffbb8d08a6ead4427f63

SHA512
694963160f0819c913d37372a3075a255781338d84c015c14d153343d41d4fa536dd1e4a289380b3e27811978b623b25efe2d063fe63ed8bde7853fcc33d8554

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl.dll

Filesize
4.2MB

MD5
52b8bff530ef8f2d919c9d2c5dea1947

SHA1
aaf82d893c4f9e803bea7fcfe36d5e0d8f5e1991

SHA256
34ab069c38f9dba671fa22bce13d8be3c28480ce23e08655a2a21c4072949631

SHA512
a40588b4ade76a4f308f9f6bbed3d34e31b1fcc32baca29aa655aad541139b851f12c21c443d29d3db20ccdd252331996d9e99371035dbd28f9457819f2da7f1

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
356KB

MD5
d77ae460c0411b137e405520a0fd5120

SHA1
bbc8d377d5485ddb25618b3934777eff5e615bab

SHA256
760727b8043010cd86d76da1fc61824541c480aa2d8c59c9d953248c9c7123c2

SHA512
52901693309482b7e39468e9d369df78157dbcdee3dec89d1037508f09ca516930360648025bc355dc1cf67e19261578a99c41879e72ef37cdce27d8e49d03d0

Download Submit
memory/1536-67-0x0000000003A90000-0x0000000003B83000-memory.dmp

Filesize
972KB

Download
memory/1536-48-0x0000000000400000-0x000000000070F200-memory.dmp

Filesize
3.1MB

Download
memory/1536-76-0x0000000000ED0000-0x00000000011E0000-memory.dmp

Filesize
3.1MB

Download
memory/1536-51-0x0000000000ED0000-0x00000000011E0000-memory.dmp

Filesize
3.1MB

Download
memory/1536-68-0x0000000073430000-0x0000000073863000-memory.dmp

Filesize
4.2MB

Download
memory/1536-75-0x0000000000400000-0x000000000070F200-memory.dmp

Filesize
3.1MB

Download
memory/1536-50-0x0000000000ED0000-0x00000000011E0000-memory.dmp

Filesize
3.1MB

Download
memory/1536-49-0x0000000000ED0000-0x00000000011E0000-memory.dmp

Filesize
3.1MB

Download
memory/1536-77-0x0000000000ED0000-0x00000000011E0000-memory.dmp

Filesize
3.1MB

Download
memory/1536-58-0x0000000003A90000-0x0000000003B83000-memory.dmp

Filesize
972KB

Download
memory/1616-63-0x0000000000AA0000-0x0000000000B93000-memory.dmp

Filesize
972KB

Download
memory/1616-66-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1616-64-0x0000000000AA0000-0x0000000000B93000-memory.dmp

Filesize
972KB

Download
memory/1772-0-0x0000000000400000-0x000000000070F200-memory.dmp

Filesize
3.1MB

Download
memory/1772-9-0x0000000004440000-0x0000000004533000-memory.dmp

Filesize
972KB

Download
memory/1772-37-0x0000000000400000-0x000000000070F200-memory.dmp

Filesize
3.1MB

Download
memory/1772-33-0x0000000074240000-0x0000000074673000-memory.dmp

Filesize
4.2MB

Download
memory/2764-43-0x0000000004420000-0x0000000004730000-memory.dmp

Filesize
3.1MB

Download
memory/2764-42-0x0000000004420000-0x0000000004730000-memory.dmp

Filesize
3.1MB

Download
memory/2764-57-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2764-39-0x0000000000500000-0x00000000005F3000-memory.dmp

Filesize
972KB

Download
memory/2764-38-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2764-35-0x0000000000500000-0x00000000005F3000-memory.dmp

Filesize
972KB

Download
memory/2764-34-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2764-23-0x0000000000500000-0x00000000005F3000-memory.dmp

Filesize
972KB

Download
memory/2764-24-0x0000000000500000-0x00000000005F3000-memory.dmp

Filesize
972KB

Download
memory/2764-15-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing