8b8b3f8f54abd3b9b6b2620362f5e0773f9859ae468fdd4c816797b261b50ea0

General

Target

avanss.exe
Size

75KB
MD5

c4c8795510f78d2251f0b746d46429b5
SHA1

2caf2fc8895b7a88c32281bdeff3ce7fb298d6bf
SHA256

8b8b3f8f54abd3b9b6b2620362f5e0773f9859ae468fdd4c816797b261b50ea0
SHA512

4ab80bc55a1fc2cfde22545799a27004bbfd0fcc4d106daff6fd1589708f5d82d1a9b4361395dc2a90155a97efa2ec56c9c7703844f9af807274ec91edcc4e97
SSDEEP

1536:4Ub2to+b4SFSN007ZxgOzdupbj4VQ3aDwFd:4Ub2trb4SQNl3Vq3aDa

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avanss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	avanss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2756	3064	avanss.exe	30
PID 3064 wrote to memory of 2756	3064	avanss.exe	30
PID 3064 wrote to memory of 2756	3064	avanss.exe	30
PID 3064 wrote to memory of 2756	3064	avanss.exe	30
PID 2756 wrote to memory of 2628	2756	csc.exe	32
PID 2756 wrote to memory of 2628	2756	csc.exe	32
PID 2756 wrote to memory of 2628	2756	csc.exe	32
PID 2756 wrote to memory of 2628	2756	csc.exe	32

C:\Users\Admin\AppData\Local\Temp\avanss.exe
"C:\Users\Admin\AppData\Local\Temp\avanss.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hfcamyaz\hfcamyaz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES261.tmp" "c:\Users\Admin\AppData\Local\Temp\hfcamyaz\CSC30AFED143A7748619A9775804E533C88.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab502.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES261.tmp

Filesize
1KB

MD5
d3a8c7ca55fcb55816905cc68c336d19

SHA1
3a2940bf54f3d52bc9387f4d130de57df84fdebf

SHA256
a26c2d5ce999f60e81540451f85d27c0a909ba0b6e16ef5d7d60a52da59e2731

SHA512
e84f5e7e75b9f2ddfb5173618e276023b6f33252692e4a98301bd27b654c6ca51fcfc9f6f88da24659a59e7ff3489b0e319663929f9fdfd04583e4cfa21db834

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar524.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfcamyaz\hfcamyaz.dll

Filesize
4KB

MD5
d9bf1664a5a99f89233780c94c485901

SHA1
995f618c036fab459255c3fb56d161c0983fcbb6

SHA256
12594813ea3a892ee4a757198042ade6f86d0d6e13f2c308eb20b7d69f87a8ca

SHA512
7f22712f0577df826aec9ae35225da530ceaba5d8785523ce2452a8ae0f2b974eaebfd4727f7f252f91e3ff4a54edb5697b6a4795b96de8928fc6720377e1eb9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfcamyaz\CSC30AFED143A7748619A9775804E533C88.TMP

Filesize
652B

MD5
82887709f02e724411d6a86da4d2c79f

SHA1
ceee02f7ef405687d6435eda626bd5a893e2e895

SHA256
da9444c7dfc942a5ed5607c819780afdce1702ca148109cab3f72514782adfe5

SHA512
533e6fef920e5c01f2330ea8f8afb04d6692850f834e5a25118db831d33dc70c0f2fee92ffd543a8e2194b1740f8f033f3a911cddb956da74be63334883d45e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfcamyaz\hfcamyaz.0.cs

Filesize
831B

MD5
3a7abcbcc7e75d02c2ba87ab984253e0

SHA1
6eda407060d6911209932243d0fdbb19a33d0f25

SHA256
2faf96d04d71543170b4e2cd0fee9cca3183040c85cd56dcbfeac7711da99ad2

SHA512
1100076754edbb7a4e0597d4288237e9fbfe4fd7832d67f2100fb1b7a1c47375613058b2659682442ce3cbe918a3b88f2c30951e9ab9d63e4bfc504df50a6ecc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfcamyaz\hfcamyaz.cmdline

Filesize
270B

MD5
79550f12e0e948f10149279bbbc37c05

SHA1
f9ec38081e629b5f60a5d449ed9ce8ddda81f6ca

SHA256
51732d40646bc23cd7720d1d0645d987747342b584383673a6f166ae6e2925d4

SHA512
d1688c5e6caf98421d42dca30966a9b3c359a0aeac483364e07e5670f50722a09e1f9b2cf33c683be1b9ae6c897657cd5835207ccce6cca5477cc5ad2bc9bfd6

Download Submit
memory/3064-0-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/3064-15-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/3064-2-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-1-0x00000000003F0000-0x0000000000408000-memory.dmp

Filesize
96KB

Download
memory/3064-69-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-70-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/3064-71-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing