2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c

General

Target

2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe
Size

728KB
MD5

407f4fb0ddae376c9ded7acae48187f8
SHA1

38d7bb2c6db450d012aa2b0a82379c8ca1c517b6
SHA256

2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c
SHA512

142ba0c5102876677806fd4f00a863035a425e8846fa0c126e547ed381a7506d63ff0e1da6616466b9dbe00037d3b0c11c5f7530991c97b58ebed68dca745723
SSDEEP

12288:RxDsROJmafSPZD3YOnlw2KxPo0q7qrCFqyR3vtHKJY1fiqd8Cufe9ZqQwExtlJzD:RFI1TpU8Coi4Hdtq5B+cYHFfpA6NGRa

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2344	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2928	AIDS.7.exe

Loads dropped DLL 1 IoCs

pid	Process
2664	2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AIDS.7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2532	PING.EXE
2564	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2532	PING.EXE
2564	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe
Token: SeIncBasePriorityPrivilege	2928	AIDS.7.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2928	2664	2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe	31
PID 2664 wrote to memory of 2928	2664	2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe	31
PID 2664 wrote to memory of 2928	2664	2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe	31
PID 2664 wrote to memory of 2928	2664	2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe	31
PID 2664 wrote to memory of 2344	2664	2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe	32
PID 2664 wrote to memory of 2344	2664	2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe	32
PID 2664 wrote to memory of 2344	2664	2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe	32
PID 2664 wrote to memory of 2344	2664	2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe	32
PID 2928 wrote to memory of 2876	2928	AIDS.7.exe	34
PID 2928 wrote to memory of 2876	2928	AIDS.7.exe	34
PID 2928 wrote to memory of 2876	2928	AIDS.7.exe	34
PID 2928 wrote to memory of 2876	2928	AIDS.7.exe	34
PID 2928 wrote to memory of 2836	2928	AIDS.7.exe	35
PID 2928 wrote to memory of 2836	2928	AIDS.7.exe	35
PID 2928 wrote to memory of 2836	2928	AIDS.7.exe	35
PID 2928 wrote to memory of 2836	2928	AIDS.7.exe	35
PID 2344 wrote to memory of 2532	2344	cmd.exe	37
PID 2344 wrote to memory of 2532	2344	cmd.exe	37
PID 2344 wrote to memory of 2532	2344	cmd.exe	37
PID 2344 wrote to memory of 2532	2344	cmd.exe	37
PID 2836 wrote to memory of 2564	2836	cmd.exe	38
PID 2836 wrote to memory of 2564	2836	cmd.exe	38
PID 2836 wrote to memory of 2564	2836	cmd.exe	38
PID 2836 wrote to memory of 2564	2836	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe
"C:\Users\Admin\AppData\Local\Temp\2fa122d082e56063c5c3f46cb8799e214469a50497dc9335101a88bc84c61e6c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\AIDS.7.exe
  "C:\Users\Admin\AppData\Local\Temp\AIDS.7.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VCRUNTITO140.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~E7DF.tmp.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~E762.tmp.bat"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HZ~E762.tmp.bat

Filesize
266B

MD5
d8e64fbbc121ea767fa9cf0669448433

SHA1
d8f714c2740c7663760e8f3a48a8a1da84a6dc89

SHA256
9c4d94e0bc2c64bebefc2db73cc5b9c7378630b6a7a15c083137c9f2415aeb21

SHA512
f66ce1494bafef09bb7b3390174b39258254c854bc44b96972fa72fa906cf62186168afc7c16e8130faed6bb7796ee0971c6f9fadd175199020f48f376d711f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZ~E7DF.tmp.bat

Filesize
150B

MD5
23005a58c1eb8d0fb98268a94caa6bbe

SHA1
c1e7a77d99f7a29f532b199f94296fc3f3de0c28

SHA256
64386176c33a9f9ee1461512aecbaef5f8d46d7705ace5aa380bc7ce6f8da548

SHA512
47a1291981cf6c1b979bf0b341f0a5d93c66bbd3d5bf7f83a446eb9d0e3282b9c47165506eee4492af674908e0133700c2226239a80aae366d80055e8cd472dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRUNTITO140.vbs

Filesize
34B

MD5
ffb6c245c1ac926dd365914972e6d220

SHA1
7edd022347c79ee47363a0f4c647b6b360b5d555

SHA256
4814068b93412a9cc1f5f611ae121eccca75d05c7b7284b8065ab3400c9a2bc5

SHA512
d3bf1663a7ee8d038b316609c0e48720521efe9dd21a1afdceb6cf6f8d95173430ea290bf083ec294f0623064ad4d0423f0ac0362a75aacda16b1c17ff40d1b2

Download Submit
\Users\Admin\AppData\Local\Temp\AIDS.7.exe

Filesize
514KB

MD5
8f2a9b84e0f9239cdd18575a8938130c

SHA1
ac773b441e2599905d1bd3872cb385ce17e744b1

SHA256
cc52310e74fb1a389ae878c5a9ec0cc9196888872d1e2e012a8e27337215777f

SHA512
ee96fee398be87ea50d3af7434d0d69a6ca041d4927c9fb6adc77fe725eb590ea3bdf52279f2fb3c232e2a7c2eb29cf652974972298c482b0e8e0ee76e208556

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads