39499dd9ec7c300258547bc27886b92014c0f6ad10147be8437247180c14e708

General

Target

cf2b5f465139cc503a51150762c1bc40N.exe
Size

669KB
MD5

cf2b5f465139cc503a51150762c1bc40
SHA1

ae3df4e854bf4ade73c9b0a50b9bb7dbf5d7b990
SHA256

39499dd9ec7c300258547bc27886b92014c0f6ad10147be8437247180c14e708
SHA512

b34d4a4f9e8f7d35737994fde2a33a5b785b510bc059425f3a8295cf245ad12c6f2d263a801bdd28bef915f0b71b9823dcc2a2fd65db3a655751ecaa1d8e20cd
SSDEEP

12288:XPMBNf1rFe2lN26zXrhvazX+nC/OqAuiLXDSobdjoaxAt8NUtBtQTuMX6ueBsbdf:fMjfm2lDlS7uaOqAvSoaUAQGB2ThX6uV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1940	od_group_vcl.exe

Loads dropped DLL 6 IoCs

pid	Process
2308	cf2b5f465139cc503a51150762c1bc40N.exe
2308	cf2b5f465139cc503a51150762c1bc40N.exe
1940	od_group_vcl.exe
1940	od_group_vcl.exe
1940	od_group_vcl.exe
1940	od_group_vcl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2b5f465139cc503a51150762c1bc40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	od_group_vcl.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1940	2308	cf2b5f465139cc503a51150762c1bc40N.exe	31
PID 2308 wrote to memory of 1940	2308	cf2b5f465139cc503a51150762c1bc40N.exe	31
PID 2308 wrote to memory of 1940	2308	cf2b5f465139cc503a51150762c1bc40N.exe	31
PID 2308 wrote to memory of 1940	2308	cf2b5f465139cc503a51150762c1bc40N.exe	31
PID 2308 wrote to memory of 1940	2308	cf2b5f465139cc503a51150762c1bc40N.exe	31
PID 2308 wrote to memory of 1940	2308	cf2b5f465139cc503a51150762c1bc40N.exe	31
PID 2308 wrote to memory of 1940	2308	cf2b5f465139cc503a51150762c1bc40N.exe	31
PID 1940 wrote to memory of 2080	1940	od_group_vcl.exe	32
PID 1940 wrote to memory of 2080	1940	od_group_vcl.exe	32
PID 1940 wrote to memory of 2080	1940	od_group_vcl.exe	32
PID 1940 wrote to memory of 2080	1940	od_group_vcl.exe	32

C:\Users\Admin\AppData\Local\Temp\cf2b5f465139cc503a51150762c1bc40N.exe
"C:\Users\Admin\AppData\Local\Temp\cf2b5f465139cc503a51150762c1bc40N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\¹ÜÀíÕ¾\od_group_vcl.exe
  C:\Users\Admin\AppData\Local\Temp\¹ÜÀíÕ¾\od_group_vcl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\¹ÜÀíÕ¾\login.ini

Filesize
201B

MD5
d5280adfa0a621dacfbf659a26d1829a

SHA1
3e4e8913baf885235cd54a1c67ae17bcf8157a47

SHA256
e199ecd0c8bb06e565a0f6de29d73ae49eb3b3de3a2038ca980448ee49bdd5a7

SHA512
4868e6534b714e0f92e99b74d24a779c2b0cf3c7f9a7f71f9d93537a08b90190117570c23490ee3defe06bbd838299b762ed55ef0999abe6f83a310e27509899

Download Submit
C:\Users\Admin\AppData\Local\Temp\¹ÜÀíÕ¾\od_gate_dll.dll

Filesize
264KB

MD5
45713c1a2f65f41b2f58f9af30a77d9a

SHA1
d33479e3acfe3b35ba8a3778f6550ef5bf5177e7

SHA256
111d92d44bca796ccf48e0278196d27b52116b10e9ed7434f84aaaddce78ac23

SHA512
44665dc6e9e8a9361895a9eac2b6dc7000284fbadea51f5368eaa94b622526c217162da55520798f2a7e2b3eecd444d531d76fa9fcd17115ae08d3206282d508

Download Submit
\Users\Admin\AppData\Local\Temp\¹ÜÀíÕ¾\od_group_vcl.exe

Filesize
1.4MB

MD5
deb3c1d70ff88e506e46d423ddffe884

SHA1
7fb5e5442bdf816dd52c608a41e8bbafb77ae456

SHA256
f28751bef6992581284654353f30a80c31a18279d6b609acabb981e6824a69b0

SHA512
036c429d066c3b2cac6214bdb1f4e391c7e203c688414d931df74238f9cb4703c8c20c2424bf773d61a18f515a63cfe5d13bb3080a47350855e265a01bf58cb7

Download Submit
memory/1940-25-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/2308-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2308-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2308-4-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2308-3-0x0000000000280000-0x00000000002CF000-memory.dmp

Filesize
316KB

Download
memory/2308-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2308-22-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2308-23-0x0000000000280000-0x00000000002CF000-memory.dmp

Filesize
316KB

Download
memory/2308-36-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing