d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d

General

Target

d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe
Size

208KB
MD5

24e1696914de486c46ce4ad22fee3b7c
SHA1

fe9acc2315aafa9ee22c990d140f62d2458c5a47
SHA256

d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d
SHA512

544a42b2f979740d5de345e9f02e1e4412637562f61d6a2d76498efc6ff2a16760280234c9dcf5e57a04d76035c7a2b8646e4414c6cd67955b733c76b0df49fb
SSDEEP

3072:KaUQG7WJg9pda0sbpAmWTgofalXgzFiM0XTsUnIuSAdt2I4NLthEjQT6:KXQ4fmOxWgzFidlSAdt2IQEj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1912	MKBXUQ.exe

Loads dropped DLL 2 IoCs

pid	Process
2588	cmd.exe
2588	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\MKBXUQ.exe	d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe
File opened for modification	C:\windows\SysWOW64\MKBXUQ.exe	d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe
File created	C:\windows\SysWOW64\MKBXUQ.exe.bat	d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MKBXUQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe
1912	MKBXUQ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2712	d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe
2712	d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe
1912	MKBXUQ.exe
1912	MKBXUQ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2588	2712	d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe	30
PID 2712 wrote to memory of 2588	2712	d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe	30
PID 2712 wrote to memory of 2588	2712	d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe	30
PID 2712 wrote to memory of 2588	2712	d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe	30
PID 2588 wrote to memory of 1912	2588	cmd.exe	32
PID 2588 wrote to memory of 1912	2588	cmd.exe	32
PID 2588 wrote to memory of 1912	2588	cmd.exe	32
PID 2588 wrote to memory of 1912	2588	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe
"C:\Users\Admin\AppData\Local\Temp\d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\MKBXUQ.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\windows\SysWOW64\MKBXUQ.exe
    C:\windows\system32\MKBXUQ.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MKBXUQ.exe.bat

Filesize
76B

MD5
c815c424ed0b18ad3bf3c7fe5d45ceb6

SHA1
7eab723f1176c1355121cd9ade13dba0034b1d15

SHA256
eff8de9f875990dd5e8f8feef979141385d30051ccca996ed352a833eb32b1b6

SHA512
4a7731ed6a9c6f3a5d9eb029a4192ff2016b750802be9a1ad6def72f1f6d9aa0d3110e67e92908ea6a09c871bcacd202576c8879ab53cd05140e2bae116cd419

Download Submit
\Windows\SysWOW64\MKBXUQ.exe

Filesize
208KB

MD5
316be4c32389359e72064d804744af50

SHA1
4b55b9e17d964a2e697bcbc5ec89a31970f5cbb2

SHA256
c40491b6e4bc5a31e6e71ebcfdbef497efc8358205f9316e74d42fbf8f869020

SHA512
dab6d205c6f7bcf1f251eaa480a299958af054a64015e485ca4c181c580bd3e100850b8d851cbeb6dee6c19a61d0de17c621bfda1046d1eb74023152344bb181

Download Submit
memory/1912-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1912-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2588-18-0x0000000000350000-0x0000000000388000-memory.dmp

Filesize
224KB

Download
memory/2588-17-0x0000000000350000-0x0000000000388000-memory.dmp

Filesize
224KB

Download
memory/2712-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2712-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing