d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841

General

Target

d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe
Size

1.2MB
MD5

c7063a446a39404c6381dc8567bc4ab8
SHA1

bd75680dfc9773c3dbadf4249f33cbce1fae2e45
SHA256

d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841
SHA512

712be2ed1546e50b42bae968d89cc87891a9fa11975605f5d9b2618ce94b157af0d035d15ac88dedf4d6e9ff5e89d5622df1dbf01537c9bd6320faaf61eba7d3
SSDEEP

24576:FqDEvCTbMWu7rQYlBQcBiT6rprG8awl3LLa8hYozG8nwT45:FTvC/MTQYxsWR7awl3LCo

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2744	2716	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe	31
PID 2744 set thread context of 1188	2744	svchost.exe	21
PID 2744 set thread context of 2708	2744	svchost.exe	32
PID 2708 set thread context of 1188	2708	credwiz.exe	21

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	credwiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe
2708	credwiz.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2716	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe
2744	svchost.exe
1188	Explorer.EXE
1188	Explorer.EXE
2708	credwiz.exe
2708	credwiz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2744	2716	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe	31
PID 2716 wrote to memory of 2744	2716	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe	31
PID 2716 wrote to memory of 2744	2716	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe	31
PID 2716 wrote to memory of 2744	2716	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe	31
PID 2716 wrote to memory of 2744	2716	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe	31
PID 1188 wrote to memory of 2708	1188	Explorer.EXE	32
PID 1188 wrote to memory of 2708	1188	Explorer.EXE	32
PID 1188 wrote to memory of 2708	1188	Explorer.EXE	32
PID 1188 wrote to memory of 2708	1188	Explorer.EXE	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe
  "C:\Users\Admin\AppData\Local\Temp\d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2744
- C:\Windows\SysWOW64\credwiz.exe
  "C:\Windows\SysWOW64\credwiz.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Allene

Filesize
266KB

MD5
d229f44fabf4723753b5a35c8de150b6

SHA1
8c78c72d879e0db9f74aff7fb3d64af16cfc4652

SHA256
ebd9fbeec2ae2be3ffd2729bec667cefe6f165312382ff33f9fa8b66412dc5e2

SHA512
81c44b1da2e4623694a48322f6322293f038b9586a48536b82175d8052c19c14a8589ae7c03b38199f012402262c5078edd0c9c9abe0c30c2690be1aab032d03

Download Submit
memory/1188-26-0x0000000007C80000-0x000000000843F000-memory.dmp

Filesize
7.7MB

Download
memory/1188-19-0x0000000007C80000-0x000000000843F000-memory.dmp

Filesize
7.7MB

Download
memory/2708-24-0x0000000001F50000-0x0000000002253000-memory.dmp

Filesize
3.0MB

Download
memory/2708-29-0x0000000001C80000-0x0000000001D22000-memory.dmp

Filesize
648KB

Download
memory/2708-28-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2708-27-0x0000000001C80000-0x0000000001D22000-memory.dmp

Filesize
648KB

Download
memory/2708-25-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2708-20-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2708-21-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2716-12-0x0000000000730000-0x0000000000734000-memory.dmp

Filesize
16KB

Download
memory/2744-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2744-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2744-23-0x00000000001E0000-0x0000000000203000-memory.dmp

Filesize
140KB

Download
memory/2744-18-0x00000000001E0000-0x0000000000203000-memory.dmp

Filesize
140KB

Download
memory/2744-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2744-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2744-14-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/2744-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing