721b0c36231591389f18e7f1d46a1fca316b56cf6475d81b324d8342bc51d6a6

General

Target

cffcd193da87662106d661db3e325100N.exe
Size

540KB
MD5

cffcd193da87662106d661db3e325100
SHA1

a335ae81f11f6abd30e2c8c766dd877038699cbe
SHA256

721b0c36231591389f18e7f1d46a1fca316b56cf6475d81b324d8342bc51d6a6
SHA512

01778a1689b48cf7e8ba9cc05fd7920acb8abd2d58172b12f5f08b92d1d3867da6bbc7e2974463791dcb075b210ff79df02f6b2209c0e4b937e2dab910c9db7b
SSDEEP

12288:a95iO8D6bVKAhIwgC8cj3QrROuvatrXNcc:aG+VKUI3C8ckC9cc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2340	DF76.tmp
1884	cffcd193da87662106d661db3e325100N.exe

Loads dropped DLL 3 IoCs

pid	Process
2972	cffcd193da87662106d661db3e325100N.exe
2340	DF76.tmp
2340	DF76.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cffcd193da87662106d661db3e325100N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DF76.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cffcd193da87662106d661db3e325100N.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2340	DF76.tmp

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2340	DF76.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2340	2972	cffcd193da87662106d661db3e325100N.exe	31
PID 2972 wrote to memory of 2340	2972	cffcd193da87662106d661db3e325100N.exe	31
PID 2972 wrote to memory of 2340	2972	cffcd193da87662106d661db3e325100N.exe	31
PID 2972 wrote to memory of 2340	2972	cffcd193da87662106d661db3e325100N.exe	31
PID 2340 wrote to memory of 1884	2340	DF76.tmp	32
PID 2340 wrote to memory of 1884	2340	DF76.tmp	32
PID 2340 wrote to memory of 1884	2340	DF76.tmp	32
PID 2340 wrote to memory of 1884	2340	DF76.tmp	32

C:\Users\Admin\AppData\Local\Temp\cffcd193da87662106d661db3e325100N.exe
"C:\Users\Admin\AppData\Local\Temp\cffcd193da87662106d661db3e325100N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\DF76.tmp
  "C:\Users\Admin\AppData\Local\Temp\DF76.tmp" --pingC:\Users\Admin\AppData\Local\Temp\cffcd193da87662106d661db3e325100N.exe 637A7EBB41D2B7177B17368270F600A6E208CA88450FB87075452A01FF422E40F048D232B1AA0E573EEE63FC0AA5F610EA4CD5B6C8866F18AFA21B233517C4FF
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\cffcd193da87662106d661db3e325100N.exe
    "C:\Users\Admin\AppData\Local\Temp\cffcd193da87662106d661db3e325100N.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\DF76.tmp

Filesize
540KB

MD5
620c013cda8eeed6f3f85dfa5c33a3bd

SHA1
c45627df7a09f1e9a828f1528035667dff5a0f8e

SHA256
e7410a6b316269cb709a72942e9bccdf2c049a5ff1abbc66319cf9d7ba9808b8

SHA512
34fa8a02cb2bed4d8a0a83657493912b3e78ce37f433715d81bf0ee752c83555e1d77fd22d29c9b539137e85238c088144b1f6ab8d8837c0c8e23d24eb83df38

Download Submit
\Users\Admin\AppData\Local\Temp\cffcd193da87662106d661db3e325100N.exe

Filesize
180KB

MD5
1e4524dd4963fad9da23cc9dd22362be

SHA1
b13c2d9d734aea7d0912e000b367f58aa332954f

SHA256
7cb106de2392ae9c71eb7234747b0ae157c2487750cd5034a239247b8de02779

SHA512
1e3c1db9e57fc9aa1af626f5de8ddd5131c100ce8fef459e2b7cc65765dfc22ddb644c10f23bd28384616fe45b37039d95ee34861c3d5e5bec3b5464cc3efac4

Download Submit
memory/1884-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-22-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads