8b8b3f8f54abd3b9b6b2620362f5e0773f9859ae468fdd4c816797b261b50ea0

General

Target

avanss.exe
Size

75KB
MD5

c4c8795510f78d2251f0b746d46429b5
SHA1

2caf2fc8895b7a88c32281bdeff3ce7fb298d6bf
SHA256

8b8b3f8f54abd3b9b6b2620362f5e0773f9859ae468fdd4c816797b261b50ea0
SHA512

4ab80bc55a1fc2cfde22545799a27004bbfd0fcc4d106daff6fd1589708f5d82d1a9b4361395dc2a90155a97efa2ec56c9c7703844f9af807274ec91edcc4e97
SSDEEP

1536:4Ub2to+b4SFSN007ZxgOzdupbj4VQ3aDwFd:4Ub2trb4SQNl3Vq3aDa

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avanss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	avanss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2568	1640	avanss.exe	30
PID 1640 wrote to memory of 2568	1640	avanss.exe	30
PID 1640 wrote to memory of 2568	1640	avanss.exe	30
PID 1640 wrote to memory of 2568	1640	avanss.exe	30
PID 2568 wrote to memory of 2576	2568	csc.exe	33
PID 2568 wrote to memory of 2576	2568	csc.exe	33
PID 2568 wrote to memory of 2576	2568	csc.exe	33
PID 2568 wrote to memory of 2576	2568	csc.exe	33

C:\Users\Admin\AppData\Local\Temp\avanss.exe
"C:\Users\Admin\AppData\Local\Temp\avanss.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n1gyguor\n1gyguor.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB1C.tmp" "c:\Users\Admin\AppData\Local\Temp\n1gyguor\CSC791A2045F6184134A215A0A39F3D90DA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabD75D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB1C.tmp

Filesize
1KB

MD5
9bf877d57d02850c22a0108d2cfdf6f7

SHA1
9e88b41171077f27f8dfacdcaf96e246930681fc

SHA256
9c6441850c1a0981d22c90d68e6acf6d9306ffd545169afbdffddc5044050888

SHA512
b58ade0b01553b2979650cf49900c8365f2c2bdd1af003bcca5b6f671f2b96e3ea251bf0bca8e39e4a9d49fda116c0ccfafd5a20b9befd181d0ca8cfed47a85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD770.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1gyguor\n1gyguor.dll

Filesize
4KB

MD5
e03e21b20df98b276a88faa8bdbb3ca2

SHA1
26c19f500565b5952ae5bf44fd146719a3d47c41

SHA256
5aecf67cd8a29fa7ddba549ddecd78a8250a9470cb243357145f4105063e805d

SHA512
ce3bbf10383490372e3759cdb39a76ced12a0d69d9d09e63f7f81bd94505dca256de4f6dcd77f9a4afee867cf31da4d70e96a865812bee061d6d9a4ac022316c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n1gyguor\CSC791A2045F6184134A215A0A39F3D90DA.TMP

Filesize
652B

MD5
957410a058339c7eb53992ac00a78566

SHA1
f1f3f61aec447821ba2a2d255e220e0198fc5d36

SHA256
6eed739eb66d86eac7f8f5344f30436393a5e9cddab4c9f52e959755a6179083

SHA512
d660c401696e6b4d696ca03a588167599cc8b22b2f850bfabe4a539c2a7e412f267ca9200202fba63a6156a0d70d81389b5a551443a50f3bdcef2e644000a3cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n1gyguor\n1gyguor.0.cs

Filesize
831B

MD5
3a7abcbcc7e75d02c2ba87ab984253e0

SHA1
6eda407060d6911209932243d0fdbb19a33d0f25

SHA256
2faf96d04d71543170b4e2cd0fee9cca3183040c85cd56dcbfeac7711da99ad2

SHA512
1100076754edbb7a4e0597d4288237e9fbfe4fd7832d67f2100fb1b7a1c47375613058b2659682442ce3cbe918a3b88f2c30951e9ab9d63e4bfc504df50a6ecc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n1gyguor\n1gyguor.cmdline

Filesize
270B

MD5
4956075c4f4c5e3b581d1b991f94f09e

SHA1
89553171194016664e41608b040fca2b87678082

SHA256
f66efa5863aca33f89d5cb07f40c54276397d199311e72216c7b8559db2cd39e

SHA512
b8177cc0b1ef98ef870e489a8e30b4571b68b0849c5b4545598577795cd595e65f54550c9301e15ceb2b92b778aa4284868ed4b58c5de530d40d41a2df259a78

Download Submit
memory/1640-2-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/1640-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/1640-15-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/1640-1-0x00000000009C0000-0x00000000009D8000-memory.dmp

Filesize
96KB

Download
memory/1640-69-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/1640-70-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing