42f2af0b128e5b679f333178accdc3481b2c09a9207f11ccf908a231c5cae72e

General

Target

5f95bdf4489f05cd4395021f36d59080N.exe
Size

2.9MB
MD5

5f95bdf4489f05cd4395021f36d59080
SHA1

a7ac493eb92d616f8a9be4826434ac13d9596bcc
SHA256

42f2af0b128e5b679f333178accdc3481b2c09a9207f11ccf908a231c5cae72e
SHA512

3e46d2d4b3b2f0d94c661c795e3c427468b83084ecd796679da359ec7ef1b8e6af1aff8b48eb7e413f1c469fde07228ba0ca9c15b09d243cad4630fc4854efd0
SSDEEP

49152:U98k/vjvOjDdLoEhuu/uzvkW+jassB3qV5ewoqbR8pWlFTDDpPbYuukyUaj8mxpc:e8k3jWkzu2nssB3QkwoqbRcWl9tYjjvc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	5f95bdf4489f05cd4395021f36d59080N.tmp

Loads dropped DLL 4 IoCs

pid	Process
2472	5f95bdf4489f05cd4395021f36d59080N.exe
2748	5f95bdf4489f05cd4395021f36d59080N.tmp
2748	5f95bdf4489f05cd4395021f36d59080N.tmp
2748	5f95bdf4489f05cd4395021f36d59080N.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f95bdf4489f05cd4395021f36d59080N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f95bdf4489f05cd4395021f36d59080N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2268	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	5f95bdf4489f05cd4395021f36d59080N.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2748	2472	5f95bdf4489f05cd4395021f36d59080N.exe	30
PID 2472 wrote to memory of 2748	2472	5f95bdf4489f05cd4395021f36d59080N.exe	30
PID 2472 wrote to memory of 2748	2472	5f95bdf4489f05cd4395021f36d59080N.exe	30
PID 2472 wrote to memory of 2748	2472	5f95bdf4489f05cd4395021f36d59080N.exe	30
PID 2472 wrote to memory of 2748	2472	5f95bdf4489f05cd4395021f36d59080N.exe	30
PID 2472 wrote to memory of 2748	2472	5f95bdf4489f05cd4395021f36d59080N.exe	30
PID 2472 wrote to memory of 2748	2472	5f95bdf4489f05cd4395021f36d59080N.exe	30
PID 2748 wrote to memory of 2268	2748	5f95bdf4489f05cd4395021f36d59080N.tmp	31
PID 2748 wrote to memory of 2268	2748	5f95bdf4489f05cd4395021f36d59080N.tmp	31
PID 2748 wrote to memory of 2268	2748	5f95bdf4489f05cd4395021f36d59080N.tmp	31
PID 2748 wrote to memory of 2268	2748	5f95bdf4489f05cd4395021f36d59080N.tmp	31

C:\Users\Admin\AppData\Local\Temp\5f95bdf4489f05cd4395021f36d59080N.exe
"C:\Users\Admin\AppData\Local\Temp\5f95bdf4489f05cd4395021f36d59080N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\is-HQT66.tmp\5f95bdf4489f05cd4395021f36d59080N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HQT66.tmp\5f95bdf4489f05cd4395021f36d59080N.tmp" /SL5="$400F4,2730126,82432,C:\Users\Admin\AppData\Local\Temp\5f95bdf4489f05cd4395021f36d59080N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im smservice.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-HQT66.tmp\5f95bdf4489f05cd4395021f36d59080N.tmp

Filesize
720KB

MD5
edcaf4336373f00c3fb1c3d2fd8b0bf8

SHA1
3ce7c32015c541cada4d6887656eb3bb546df08b

SHA256
63ffe50ed1d08f0ea3fc4d807f60dc64ed5fec676a0ccc76e1d07ff5b5464fe3

SHA512
abbaf020e43588b18313e4484170737136072bf169b4e859121e4d04cf6e30492cf218ffc01b5bb46f6289f535cce49313e17a628eeed2e08b746a891a67e869

Download Submit
\Users\Admin\AppData\Local\Temp\is-I7LUA.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-I7LUA.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/2472-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2472-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2472-19-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2748-8-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2748-17-0x0000000001EE0000-0x0000000001F1C000-memory.dmp

Filesize
240KB

Download
memory/2748-22-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2748-21-0x0000000001EE0000-0x0000000001F1C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing