151e25f0549fa1eb10fe1e674539d639f4eca600caf93e113a5d7b35ab0accbd

General

Target

151e25f0549fa1eb10fe1e674539d639f4eca600caf93e113a5d7b35ab0accbd.exe
Size

588KB
MD5

c9e3c32ff530b880dc99a25d146b3ffc
SHA1

72668e423fce9eb9546a57b495e993785eb81f13
SHA256

151e25f0549fa1eb10fe1e674539d639f4eca600caf93e113a5d7b35ab0accbd
SHA512

2047edb2e08609175e46af670a4824f64addbfb9918e432a769f1cd513b2eb7767c10589edfac7497f3cdb70da51dbaecb6eb5e0bc26946918b7a2977df99170
SSDEEP

6144:oGXBqTi0hbFVJnsdPq0TYU4bWmb8pRYp9HtfqQnHlETCf/MiO7OhQPdVw1iieJVB:oGXknsdPhTYUDvU9nHWTFPdxJVQX+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2848	EUEXEXd.exe

Loads dropped DLL 3 IoCs

pid	Process
2848	EUEXEXd.exe
2848	EUEXEXd.exe
2848	EUEXEXd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EUEXEXd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2356	151e25f0549fa1eb10fe1e674539d639f4eca600caf93e113a5d7b35ab0accbd.exe
2356	151e25f0549fa1eb10fe1e674539d639f4eca600caf93e113a5d7b35ab0accbd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	EUEXEXd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2848	2648	taskeng.exe	34
PID 2648 wrote to memory of 2848	2648	taskeng.exe	34
PID 2648 wrote to memory of 2848	2648	taskeng.exe	34
PID 2648 wrote to memory of 2848	2648	taskeng.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\151e25f0549fa1eb10fe1e674539d639f4eca600caf93e113a5d7b35ab0accbd.exe
"C:\Users\Admin\AppData\Local\Temp\151e25f0549fa1eb10fe1e674539d639f4eca600caf93e113a5d7b35ab0accbd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\system32\taskeng.exe
taskeng.exe {98F2C87B-EE54-4D7D-92F3-DA4234939BF0} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\ProgramData\DXDXDW\EUEXEXd.exe
  C:\ProgramData\DXDXDW\EUEXEXd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DXDXDW\EUEXEXd.exe

Filesize
86KB

MD5
03706618a4b880538f086fae374b06cd

SHA1
87af405c4ed70d56f555bc0c781f7f1fdd0c9b68

SHA256
04db5fd77a016d339c642639cd5338e7c7777d9b66344c04c325f1e4c57fa00f

SHA512
da5c6744f1fd5fde838af7635a48971910b08a7ca06018e05df85891e3bfbca59b65c4341763480c638ad3ddbae431a2419ac3b3c55135486b68b3e686acb682

Download Submit
C:\ProgramData\DXDXDW\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\DXDXDW\longlq.cl

Filesize
1.2MB

MD5
fce10be72c95c3474f180c6bb4199ad2

SHA1
4282d30ba098a335a6e49fbc207e000217be2d0b

SHA256
91d410d794392928fcb4839701c830b43d2be0eebb37f3344fc4cbf2440e0f8e

SHA512
12cddd979450fd4402673d03f313ac43c5fe73d01109f7288eb2f8441b2c00bf2297f1d8276fc787c2fbb0f70b4bbcf387f05f8624c6f07aadb2dea5e87bf5c4

Download Submit
C:\ProgramData\DXDXDW\mfc100.dll

Filesize
2.0MB

MD5
68f4ad152edb542fbe8b7c7299224211

SHA1
26f053ed49f06602bcfa4d7edca1236752980245

SHA256
eafaa54fb20a043de1126e5e77eee115de1eb838e69e7c8f506a591e9a614dd9

SHA512
2222a137bcc7d6c65025412d4180f37d33b6b872b23c58676fd6aaf74c91f6014d393a44c249303b992a9252e0ec29c3fd8a63428e5ba339f821dd2184a62582

Download Submit
C:\Users\Admin\AppData\Roaming\BSBVB\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk

Filesize
756B

MD5
47049eae7930867a0af114be6638473b

SHA1
8e6131a4c19ffcb8b91b1e6a4fe861fad16282fb

SHA256
9b5478e44a032c94351bd6f367d17b84fb475e94f78000d5022cc87f5f9ae335

SHA512
2d37e65fb0c370185ea08b05e40ededd689543d39539c9e6251775714dc26a18b9025030f5150253eff3090ea850a87d28ade58bb2845834f355906e22e3dbbb

Download Submit
C:\Users\Admin\AppData\Roaming\BSBVB\N6N6.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Public\WDWCWF

Filesize
1.5MB

MD5
125d85028d2fd4beb7fa737732141ff2

SHA1
c4dcda512422fa66cb15f9ed291716f4067858c0

SHA256
dcaae4dd392a29446931ca6410166b50858d0556ad0df14213acabaa437d8b35

SHA512
0618734f38155462686b29a9ce6d3d2f457c9aa6ddb829d347a0a5c12671e7562cd6b308f0e853759dfd9bf2cb4224b98985eff604c2ac25e1a04f5e8d3c5d52

Download Submit
\ProgramData\DXDXDW\msvcp100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
memory/2356-0-0x0000000001B30000-0x0000000001BB6000-memory.dmp

Filesize
536KB

Download
memory/2356-4-0x0000000003480000-0x0000000003741000-memory.dmp

Filesize
2.8MB

Download
memory/2356-1-0x0000000180000000-0x00000001802CC000-memory.dmp

Filesize
2.8MB

Download
memory/2356-46-0x0000000001B30000-0x0000000001BB6000-memory.dmp

Filesize
536KB

Download
memory/2356-84-0x0000000001B30000-0x0000000001BB6000-memory.dmp

Filesize
536KB

Download
memory/2848-73-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2848-72-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2848-74-0x0000000000340000-0x000000000037B000-memory.dmp

Filesize
236KB

Download
memory/2848-77-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2848-78-0x0000000000340000-0x000000000037B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing