b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4

General

Target

b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Size

6.2MB
MD5

ea343c7830c34f40c0a70a67dbbcb47b
SHA1

37a59cb14876dc5f68abac25f6a2076e92e7eb95
SHA256

b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4
SHA512

e706c53426c1d254013f81230378352669b6181d3727f4223f74357efdae9aa46f330cea0e58dacfb4102d95b7d0f78e9a9ea8d5241103813e0d06f3f2892ea2
SSDEEP

196608:IT8BfHyY0Y+YneDPZiwGPNZqNIg74/rnkZ0:IAv0pmQBiwGCJ7Mg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2932	sg.tmp
2228	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
2228	autorun.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4808-0-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/828-9-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4808-54-0x0000000000400000-0x000000000058A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeBackupPrivilege	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeRestorePrivilege	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: 33	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeCreateGlobalPrivilege	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: 33	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: 33	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeBackupPrivilege	828	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeRestorePrivilege	828	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: 33	828	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	828	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: 33	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeRestorePrivilege	2932	sg.tmp
Token: 35	2932	sg.tmp
Token: SeSecurityPrivilege	2932	sg.tmp
Token: SeSecurityPrivilege	2932	sg.tmp
Token: 33	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
Token: SeIncBasePriorityPrivilege	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2228	autorun.exe
2228	autorun.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1852	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	83
PID 4808 wrote to memory of 1852	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	83
PID 4808 wrote to memory of 828	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	87
PID 4808 wrote to memory of 828	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	87
PID 4808 wrote to memory of 828	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	87
PID 4808 wrote to memory of 2932	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	88
PID 4808 wrote to memory of 2932	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	88
PID 4808 wrote to memory of 2932	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	88
PID 4808 wrote to memory of 2228	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	91
PID 4808 wrote to memory of 2228	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	91
PID 4808 wrote to memory of 2228	4808	b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe	91

C:\Users\Admin\AppData\Local\Temp\b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
"C:\Users\Admin\AppData\Local\Temp\b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=1038848 -len=5472305 "C:\Users\Admin\AppData\Local\Temp\~494785605108963698.tmp",,C:\Users\Admin\AppData\Local\Temp\b5d65af4b755d9a6d537502b69e5a7aa2534327e84caca5f69861805293472a4.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Users\Admin\AppData\Local\Temp\~2294063428073978~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~494785605108963698.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~4166793172456651793"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\~4166793172456651793\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\~4166793172456651793\autorun.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~2294063428073978~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4166793172456651793\autorun.exe

Filesize
1.8MB

MD5
dbdd35b466b8eb2326704e3831c65b03

SHA1
dbb80b119e06b23fb7aca3b49483fb1715a6841b

SHA256
eb1fc7a6e592baca000d57dece4b79cbaebfd388f5ea1a8d03c110d0791c5ad1

SHA512
b0ae4a2ab11720410ab098ca80c47cfacfc17e38958429cc71db46babb52def7331cde366ff676a0c02f69bb9d98e246dcd27256566bd9f67d170dcb6d2c25e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4166793172456651793\content.aed

Filesize
287KB

MD5
60d89bed8e02cf0709d99605fb91b4a4

SHA1
20eced2a1f53e3c709bbdc06bdd8d6fe7c4d7418

SHA256
2ca38c7b7d0962528afb5c150419d81020e49f1c15204db134d3e1aca2f566f8

SHA512
ad61b61b48e086fb4554dc827c8ce23327433ab04b3bf05b9b3ae2e985654cfebe7dad06fae1eeef48ce119ee826449ede6ca82c2cfa4fcd547f5b95f347e6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4166793172456651793\wxmsw28u_vc_ash.dll

Filesize
6.4MB

MD5
93f669d2c14195c8ea23ae76610a195d

SHA1
3414a5a953c5452e960a4a9e49cd7f5c6c46a318

SHA256
bd63de40a58f20e9c56e0b20f69977756c4ef999044d9f9c8b0f775aa4a67c1c

SHA512
bd5b5c5069abaf3b10a510f37417dd1fed46a07835dbb1a5565b5995e260b43fd894cc152e186d291e754c571e2275b13c50547247e49e1807a99de5c9b65140

Download Submit
C:\Users\Admin\AppData\Local\Temp\~494785605108963698.tmp

Filesize
5.2MB

MD5
e2ae70c81a8a0f9c765e93fc7df9f1b9

SHA1
6ebb55ff0a02f907d432e9c72535783c75969400

SHA256
5710f739d1e8b34ea44b3124c9f37a39c7da868f6f432db07e41010ad87fc9eb

SHA512
1ede6096b6a5e885a4807d8c6b1a343f2797104c76a84fb4f520bf971ead5c10647b50dcf104725099e903bc2fd154a4937cc020d940cba7121e4eae36f01131

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~122661188717033749.tmp

Filesize
122B

MD5
0c781e35ff156cd7b45a771ed5a6e340

SHA1
f25769294a63e4720a59fd272949c1d205ec4827

SHA256
13696de79d37f65a96cb807023246a967a19f422b4e23218946a0ade2bb8d016

SHA512
136507a5de1203335a35d42f1cfc91370f28830d0306445f147a5d46a5d2677c3125969c046a117d9bcdc703c2d5dfc9d0bd6fe9a00b32d84d9a0f1c8dd48070

Download Submit
memory/828-9-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4808-0-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4808-54-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing