b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62

General

Target

b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe
Size

970KB
MD5

0d00b10c7d7bea9e80f596b3f5ad78ec
SHA1

f3d31e1886eed6b1ab1d71537527bcd89b411c6a
SHA256

b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62
SHA512

be69b2ebfa1fb7fad2087b947707506e6ee7d87c447fb63e9aabe912c73b29013cab2c5bdc4727e613f36166a97aa92c55dced79ae51bb66b550b2ae28ebab39
SSDEEP

24576:1GRzatThRiVNbLGJv6plFh9iGa2oMYMgdsHGe7:o8TjFJspDLoVMgdkL7

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	WdExt.exe

Loads dropped DLL 4 IoCs

pid	Process
1484	b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe
2696	cmd.exe
2696	cmd.exe
2892	WdExt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WdExt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1484	b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe
2892	WdExt.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2696	1484	b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe	30
PID 1484 wrote to memory of 2696	1484	b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe	30
PID 1484 wrote to memory of 2696	1484	b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe	30
PID 1484 wrote to memory of 2696	1484	b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe	30
PID 1484 wrote to memory of 2592	1484	b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe	32
PID 1484 wrote to memory of 2592	1484	b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe	32
PID 1484 wrote to memory of 2592	1484	b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe	32
PID 1484 wrote to memory of 2592	1484	b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe	32
PID 2696 wrote to memory of 2892	2696	cmd.exe	34
PID 2696 wrote to memory of 2892	2696	cmd.exe	34
PID 2696 wrote to memory of 2892	2696	cmd.exe	34
PID 2696 wrote to memory of 2892	2696	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe
"C:\Users\Admin\AppData\Local\Temp\b97cb76d76c1432c4806be6e0a7906621b2d6c2e9a0c7e951d9ffbf620638a62.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
    "C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

Filesize
970KB

MD5
7520fadc7dcd44c7e8ba21457cc2f61a

SHA1
c6b45b42d923e577af5613daa4903387a135468c

SHA256
45a75b5c1d39dac0e0ec7415b4fdeadb534f41c32052ecf3c8996594cd1a94fb

SHA512
ec761b5ee59789674dae8e04a131b046cedcff6113c753a5ab2cf0e30d7bfa5a6e0775ebb09efe20716d580b9b793917e86ebc8c2f7ac12750b9855842ceeefe

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

Filesize
971KB

MD5
289ae2190b76b399ce3db7acdc251010

SHA1
1b490600e64ab58f41c340f050894c3899ba0dea

SHA256
ade4db7b8f406f426e8cd574d5e42b2d4f62e12a1c80738209a11324aad69f15

SHA512
831a7105fdcad0172082543f81d55f3860e51721f60624dd22350e6b71e9f2a85d33c67d7e9d6b68012d2005d7c8ba577295623689dd3398a91f2cde5d0f4edb

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
105B

MD5
902a1098f800859502aec4eac3026495

SHA1
a6b209e9aa15087670e830af5de8179b31abc897

SHA256
ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd

SHA512
cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
302B

MD5
2867f5e063b38a0e2e2c17020f307c54

SHA1
70653f2a3059d7ceee78352bb28159fbd3c04f92

SHA256
255fe59dd8f81e441e097809726f49c325f7caad0d31684f55d57d84ff2fbbef

SHA512
6c022b921576518b2f6f98ef935187691cec874b970a115c34eb8433a3ad736f94e94e957f93e0b24a786588393166758efcf44d8ff5ddf972a4a0925427e8e2

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
684c111c78f8bf6fcb5575d400e7669c

SHA1
d587894c0beffdff00ae6d358a5463ef18bcb485

SHA256
080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716

SHA512
bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/1484-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing