1225b77ccd2c1479b52f0ba03fee7b6a07cc7dd12660f62a369a156a31f10946

General

Target

d7d1fc2e7181c835679f6743e884b210N.exe
Size

3.5MB
MD5

d7d1fc2e7181c835679f6743e884b210
SHA1

c9866d544b7042dc4bc795e5afe03ec54b4fb1eb
SHA256

1225b77ccd2c1479b52f0ba03fee7b6a07cc7dd12660f62a369a156a31f10946
SHA512

7fa22d51d3721826ea7185eb6423804239260d6b223cc668196983fee104e1c29127e561492f9f380102cc0bae58309b6c0649e9546071831ca53fe00fff3484
SSDEEP

49152:xaOLqZMLAxmB/Tv8lOzR7tQ0A5QGImYfujUkiVWEVPbhbIrs3xehOfqaJM2eH7bB:AOEMLA8bnGfjel4sB9fqUwJpVjwBE+nI

Score

6^/10

defense_evasion discovery

Malware Config

Signatures

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Executes dropped EXE 1 IoCs

pid	Process
2340	d7d1fc2e7181c835679f6743e884b210N.exe

Loads dropped DLL 1 IoCs

pid	Process
3056	d7d1fc2e7181c835679f6743e884b210N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7d1fc2e7181c835679f6743e884b210N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7d1fc2e7181c835679f6743e884b210N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2340	3056	d7d1fc2e7181c835679f6743e884b210N.exe	30
PID 3056 wrote to memory of 2340	3056	d7d1fc2e7181c835679f6743e884b210N.exe	30
PID 3056 wrote to memory of 2340	3056	d7d1fc2e7181c835679f6743e884b210N.exe	30
PID 3056 wrote to memory of 2340	3056	d7d1fc2e7181c835679f6743e884b210N.exe	30
PID 3056 wrote to memory of 2340	3056	d7d1fc2e7181c835679f6743e884b210N.exe	30
PID 3056 wrote to memory of 2340	3056	d7d1fc2e7181c835679f6743e884b210N.exe	30
PID 3056 wrote to memory of 2340	3056	d7d1fc2e7181c835679f6743e884b210N.exe	30
PID 2340 wrote to memory of 2652	2340	d7d1fc2e7181c835679f6743e884b210N.exe	31
PID 2340 wrote to memory of 2652	2340	d7d1fc2e7181c835679f6743e884b210N.exe	31
PID 2340 wrote to memory of 2652	2340	d7d1fc2e7181c835679f6743e884b210N.exe	31
PID 2340 wrote to memory of 2652	2340	d7d1fc2e7181c835679f6743e884b210N.exe	31

C:\Users\Admin\AppData\Local\Temp\d7d1fc2e7181c835679f6743e884b210N.exe
"C:\Users\Admin\AppData\Local\Temp\d7d1fc2e7181c835679f6743e884b210N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\d7d1fc2e7181c835679f6743e884b210N.exe
  C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\d7d1fc2e7181c835679f6743e884b210N.exe /q"C:\Users\Admin\AppData\Local\Temp\d7d1fc2e7181c835679f6743e884b210N.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}" /IS_temp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\_ISMSIDEL.INI

Filesize
704B

MD5
a66d35c68d1e7c05c03076f5b2505695

SHA1
9ea3c0a7c6d670941330867ef0f8f4649d28b500

SHA256
d71fd8714ad47320436ab0bf2e374cfcd46660ae0fb64236065022478c8a30d9

SHA512
b1eb7d905e6d042d6aae527ebacd2d30c1ec77f02be8f5636e1d6497aa2a114ed86da54690520cea45082c36a7ba98f1003b8c87cf683cf598e760543b73a296

Download Submit
C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9C8F.tmp

Filesize
5KB

MD5
36353e59e20ea55c00e23d620d756183

SHA1
f060f69ef640ff01cc9c0a41d589e8c1775d1c80

SHA256
57c9362b54b8cfc79332d33ec3c8e0fbb8df7709435de6ae63667dd094c82a0b

SHA512
d31938a11574c1059040a7f878e7254b6ced7095bceb1cf56d29f3c7118bcf805459a284d25e3051f2fd56a48124064292377106beb02420ba24d0e523298ca0

Download Submit
\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\d7d1fc2e7181c835679f6743e884b210N.exe

Filesize
3.5MB

MD5
d7d1fc2e7181c835679f6743e884b210

SHA1
c9866d544b7042dc4bc795e5afe03ec54b4fb1eb

SHA256
1225b77ccd2c1479b52f0ba03fee7b6a07cc7dd12660f62a369a156a31f10946

SHA512
7fa22d51d3721826ea7185eb6423804239260d6b223cc668196983fee104e1c29127e561492f9f380102cc0bae58309b6c0649e9546071831ca53fe00fff3484

Download Submit

Analysis

Sharing