acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3

General

Target

acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe
Size

353KB
MD5

4341fb6ccd5196547fba4517475ff015
SHA1

468bed560e4fc936768ba44a2f6adcca0101ddf0
SHA256

acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3
SHA512

9c180136c6411cd3797197c6551c4a67d99f65689f5c7fc2a274db3230364a216da95c82a46075ac961ce2ba9238fbf4a1bf793566cd90a8a177ad430cbc5a6e
SSDEEP

6144:jZuuObR8sVImcyYwmD1hAh/+0NE1kBeXiwPRiNzRGI/3gFZ/dS03WZj4z8Adpujf:oV+mz4oh/n2jR2n3kS1j4z8Zm2/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2716	sisisisis.exe
2148	sisisisis.exe

Loads dropped DLL 3 IoCs

pid	Process
2360	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe
2360	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe
2716	sisisisis.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2148	2716	sisisisis.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sisisisis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sisisisis.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2148	sisisisis.exe
2148	sisisisis.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	sisisisis.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2084	DllHost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2716	2360	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe	32
PID 2360 wrote to memory of 2716	2360	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe	32
PID 2360 wrote to memory of 2716	2360	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe	32
PID 2360 wrote to memory of 2716	2360	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe	32
PID 2716 wrote to memory of 2148	2716	sisisisis.exe	33
PID 2716 wrote to memory of 2148	2716	sisisisis.exe	33
PID 2716 wrote to memory of 2148	2716	sisisisis.exe	33
PID 2716 wrote to memory of 2148	2716	sisisisis.exe	33
PID 2716 wrote to memory of 2148	2716	sisisisis.exe	33
PID 2716 wrote to memory of 2148	2716	sisisisis.exe	33
PID 2716 wrote to memory of 2148	2716	sisisisis.exe	33
PID 2148 wrote to memory of 1204	2148	sisisisis.exe	21
PID 2148 wrote to memory of 1204	2148	sisisisis.exe	21
PID 2148 wrote to memory of 1204	2148	sisisisis.exe	21
PID 2148 wrote to memory of 1204	2148	sisisisis.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe
  "C:\Users\Admin\AppData\Local\Temp\acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\sisisisis.exe
    "C:\Users\Admin\AppData\Local\Temp\sisisisis.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\sisisisis.exe
      C:\Users\Admin\AppData\Local\Temp\sisisisis.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2148

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\amel_n.jpg

Filesize
40KB

MD5
0eccc7bf8f7af941eab6c6b5621a1336

SHA1
c7f53e98a4f395da2a33c108f2bddeb0d1a7772f

SHA256
cca52c4a5703f9773c923dcd15e6135d7fbf23f7b19668d00b4d10da7af8129c

SHA512
807f09085de275a1632b8eabbadb7af16a29b087a8409abe404084a94ca37a19fbb499515d653756a6e1c544c02d5526a2faf28471f562d78bac016d5fb086fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sisisisis.exe

Filesize
275KB

MD5
9cd07b06963a692db8e14f058d8c3645

SHA1
1f02d202f6fd15ce560d0ebe1313afd03fdd0352

SHA256
4476051a6f42f7252d3428d62b944e66145e3d54eb54a761dc3323b0a2669dad

SHA512
ef27690d4291fc725ed74ab75e01c07429956d349996110a22de0968b81067ff188e278ec0245658450a1c0607ab46398db3b3348b268e792f7074536767227f

Download Submit
memory/1204-43-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1204-40-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2084-5-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2084-6-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2084-53-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2148-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2148-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2148-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2148-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2148-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2148-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2360-4-0x0000000002050000-0x0000000002052000-memory.dmp

Filesize
8KB

Download
memory/2360-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2716-27-0x00000000771E0000-0x00000000772F0000-memory.dmp

Filesize
1.1MB

Download
memory/2716-39-0x00000000771E0000-0x00000000772F0000-memory.dmp

Filesize
1.1MB

Download
memory/2716-17-0x00000000001B0000-0x00000000001E2000-memory.dmp

Filesize
200KB

Download
memory/2716-26-0x00000000771F4000-0x00000000771F5000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing