fb5378e01f46ff1a9b3a0322451552918bef0c3a7f2a1fc82f1a3d783753dbcd

General

Target

5f1b878a21b60e4ac81f3a54c9539bb0N.exe
Size

1.0MB
MD5

5f1b878a21b60e4ac81f3a54c9539bb0
SHA1

dbfab1552106e112475009c708d4c06efa7bab06
SHA256

fb5378e01f46ff1a9b3a0322451552918bef0c3a7f2a1fc82f1a3d783753dbcd
SHA512

fe8443f8aa389dc30947b8cff1fc3df161a58325ecfdc708226e63724c38eb6d8b5f608f31626bd59f9e73c27921d3b7255fe9135bea83653a470b379d760eef
SSDEEP

24576:4CuQ7k91hxia8yBIwcG4RtegeohjT6S71OUnSAx:puQ7k91hxia8E93eZD17rx

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	5f1b878a21b60e4ac81f3a54c9539bb0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4336	5f1b878a21b60e4ac81f3a54c9539bb0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	5f1b878a21b60e4ac81f3a54c9539bb0N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\uninstall\rundl132.exe	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
File created	C:\Windows\Logo1_.exe	5f1b878a21b60e4ac81f3a54c9539bb0N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2240	4336	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe
3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 3508	3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe	83
PID 3648 wrote to memory of 3508	3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe	83
PID 3648 wrote to memory of 3508	3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe	83
PID 3508 wrote to memory of 592	3508	net.exe	85
PID 3508 wrote to memory of 592	3508	net.exe	85
PID 3508 wrote to memory of 592	3508	net.exe	85
PID 3648 wrote to memory of 1116	3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe	89
PID 3648 wrote to memory of 1116	3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe	89
PID 3648 wrote to memory of 1116	3648	5f1b878a21b60e4ac81f3a54c9539bb0N.exe	89
PID 1116 wrote to memory of 4336	1116	cmd.exe	91
PID 1116 wrote to memory of 4336	1116	cmd.exe	91
PID 1116 wrote to memory of 4336	1116	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\5f1b878a21b60e4ac81f3a54c9539bb0N.exe
"C:\Users\Admin\AppData\Local\Temp\5f1b878a21b60e4ac81f3a54c9539bb0N.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\net.exe
  net stop "Kingsoft AntiVirus Service"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a84FF.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\5f1b878a21b60e4ac81f3a54c9539bb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5f1b878a21b60e4ac81f3a54c9539bb0N.exe"
    3⤵
    - Executes dropped EXE
    PID:4336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 180
      4⤵
      Program crash
      PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4336 -ip 4336
1⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a84FF.bat

Filesize
536B

MD5
00edd85c874f67dea75e16f31025e1a8

SHA1
b7674872b43459c4e59923d0532c76f9eeb26b9e

SHA256
46bee7e4ba08550773fcc089e78f27a774f135475a84890491bec791ac248d36

SHA512
3204f5f0ccaa26e75ebf2ac836e7281815c3c5eddeb4e4f1cba5e517039680bbe74afd1675c9ee2ff68a137643ea9b2d97d6e63160c8b50038a51fe4fab4163d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f1b878a21b60e4ac81f3a54c9539bb0N.exe.exe

Filesize
1004KB

MD5
148064f3f1e91ecd6561984925d47f00

SHA1
0d0fd99b96fb0261227394846f18995820e720b4

SHA256
01b6ee8d51719143cea2b6bede99299dac088b224fd363eea28178918fa85a6b

SHA512
d5b0acb091453c95b67fd01e21cfc1a2bfe2900ee729b60139f41e2126a79a33781e4db824ef2082e014edfae81feadebb831341879fed110f216317c1716c1f

Download Submit
memory/3648-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3648-1-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/3648-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4336-13-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads