b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4

General

Target

b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Size

6.2MB
MD5

ea343c7830c34f40c0a70a67dbbcb47b
SHA1

37a59cb14876dc5f68abac25f6a2076e92e7eb95
SHA256

b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4
SHA512

e706c53426c1d254013f81230378352669b6181d3727f4223f74357efdae9aa46f330cea0e58dacfb4102d95b7d0f78e9a9ea8d5241103813e0d06f3f2892ea2
SSDEEP

196608:IT8BfHyY0Y+YneDPZiwGPNZqNIg74/rnkZ0:IAv0pmQBiwGCJ7Mg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2292	sg.tmp
2612	autorun.exe

Loads dropped DLL 3 IoCs

pid	Process
2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
2612	autorun.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral1/memory/2060-8-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral1/memory/2060-11-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral1/memory/2980-58-0x0000000000400000-0x000000000058A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeBackupPrivilege	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeRestorePrivilege	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: 33	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeCreateGlobalPrivilege	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: 33	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: 33	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeBackupPrivilege	2060	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeRestorePrivilege	2060	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: 33	2060	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	2060	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: 33	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeRestorePrivilege	2292	sg.tmp
Token: 35	2292	sg.tmp
Token: SeSecurityPrivilege	2292	sg.tmp
Token: SeSecurityPrivilege	2292	sg.tmp
Token: 33	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2612	autorun.exe
2612	autorun.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2536	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	30
PID 2980 wrote to memory of 2536	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	30
PID 2980 wrote to memory of 2536	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	30
PID 2980 wrote to memory of 2536	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	30
PID 2980 wrote to memory of 2060	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	32
PID 2980 wrote to memory of 2060	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	32
PID 2980 wrote to memory of 2060	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	32
PID 2980 wrote to memory of 2060	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	32
PID 2980 wrote to memory of 2292	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	33
PID 2980 wrote to memory of 2292	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	33
PID 2980 wrote to memory of 2292	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	33
PID 2980 wrote to memory of 2292	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	33
PID 2980 wrote to memory of 2612	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	35
PID 2980 wrote to memory of 2612	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	35
PID 2980 wrote to memory of 2612	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	35
PID 2980 wrote to memory of 2612	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	35
PID 2980 wrote to memory of 2612	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	35
PID 2980 wrote to memory of 2612	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	35
PID 2980 wrote to memory of 2612	2980	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	35

C:\Users\Admin\AppData\Local\Temp\b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
"C:\Users\Admin\AppData\Local\Temp\b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=1038848 -len=5472305 "C:\Users\Admin\AppData\Local\Temp\~2345175479492678547.tmp",,C:\Users\Admin\AppData\Local\Temp\b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\~6046622615909240206~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~2345175479492678547.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~7406244960783808932"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\~7406244960783808932\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\~7406244960783808932\autorun.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~2345175479492678547.tmp

Filesize
5.2MB

MD5
e2ae70c81a8a0f9c765e93fc7df9f1b9

SHA1
6ebb55ff0a02f907d432e9c72535783c75969400

SHA256
5710f739d1e8b34ea44b3124c9f37a39c7da868f6f432db07e41010ad87fc9eb

SHA512
1ede6096b6a5e885a4807d8c6b1a343f2797104c76a84fb4f520bf971ead5c10647b50dcf104725099e903bc2fd154a4937cc020d940cba7121e4eae36f01131

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7406244960783808932\autorun.exe

Filesize
1.8MB

MD5
dbdd35b466b8eb2326704e3831c65b03

SHA1
dbb80b119e06b23fb7aca3b49483fb1715a6841b

SHA256
eb1fc7a6e592baca000d57dece4b79cbaebfd388f5ea1a8d03c110d0791c5ad1

SHA512
b0ae4a2ab11720410ab098ca80c47cfacfc17e38958429cc71db46babb52def7331cde366ff676a0c02f69bb9d98e246dcd27256566bd9f67d170dcb6d2c25e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7406244960783808932\content.aed

Filesize
287KB

MD5
60d89bed8e02cf0709d99605fb91b4a4

SHA1
20eced2a1f53e3c709bbdc06bdd8d6fe7c4d7418

SHA256
2ca38c7b7d0962528afb5c150419d81020e49f1c15204db134d3e1aca2f566f8

SHA512
ad61b61b48e086fb4554dc827c8ce23327433ab04b3bf05b9b3ae2e985654cfebe7dad06fae1eeef48ce119ee826449ede6ca82c2cfa4fcd547f5b95f347e6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7406244960783808932\wxmsw28u_vc_ash.dll

Filesize
6.4MB

MD5
93f669d2c14195c8ea23ae76610a195d

SHA1
3414a5a953c5452e960a4a9e49cd7f5c6c46a318

SHA256
bd63de40a58f20e9c56e0b20f69977756c4ef999044d9f9c8b0f775aa4a67c1c

SHA512
bd5b5c5069abaf3b10a510f37417dd1fed46a07835dbb1a5565b5995e260b43fd894cc152e186d291e754c571e2275b13c50547247e49e1807a99de5c9b65140

Download Submit
\Users\Admin\AppData\Local\Temp\~6046622615909240206~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/2060-8-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2060-11-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2980-0-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2980-7-0x0000000002B30000-0x0000000002CBA000-memory.dmp

Filesize
1.5MB

Download
memory/2980-58-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2980-59-0x0000000002B30000-0x0000000002CBA000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing