4447425f0a7e2ec8aa7f5bb5c2716b686ad704762ea9bb6f2f6707f1ae4399e8

General

Target

Set-up.exe
Size

12.0MB
MD5

a7118dffeac3772076f1a39a364d608d
SHA1

6b984d9446f23579e154ec47437b9cf820fd6b67
SHA256

f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0
SHA512

f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890
SSDEEP

98304:ReAtQzKADvk/9TEaImN9/tiHBIn8c3hCEFRUTaZnPZOtXwH:ReAOWOM/FE1mNHiFc3hr7UTaZnhOtXwH

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1080 set thread context of 1668	1080	Set-up.exe	30

Loads dropped DLL 7 IoCs

pid	Process
1668	more.com
2968	BacteriumPunch.a3x
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2696	2968	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BacteriumPunch.a3x

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1080	Set-up.exe
1080	Set-up.exe
1668	more.com
1668	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1080	Set-up.exe
1668	more.com

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1668	1080	Set-up.exe	30
PID 1080 wrote to memory of 1668	1080	Set-up.exe	30
PID 1080 wrote to memory of 1668	1080	Set-up.exe	30
PID 1080 wrote to memory of 1668	1080	Set-up.exe	30
PID 1080 wrote to memory of 1668	1080	Set-up.exe	30
PID 1668 wrote to memory of 2968	1668	more.com	32
PID 1668 wrote to memory of 2968	1668	more.com	32
PID 1668 wrote to memory of 2968	1668	more.com	32
PID 1668 wrote to memory of 2968	1668	more.com	32
PID 1668 wrote to memory of 2968	1668	more.com	32
PID 1668 wrote to memory of 2968	1668	more.com	32
PID 2968 wrote to memory of 2696	2968	BacteriumPunch.a3x	33
PID 2968 wrote to memory of 2696	2968	BacteriumPunch.a3x	33
PID 2968 wrote to memory of 2696	2968	BacteriumPunch.a3x	33
PID 2968 wrote to memory of 2696	2968	BacteriumPunch.a3x	33
PID 1668 wrote to memory of 2968	1668	more.com	32

C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\BacteriumPunch.a3x
    C:\Users\Admin\AppData\Local\Temp\BacteriumPunch.a3x
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 120
      4⤵
      Loads dropped DLL
      Program crash
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\463a5e76

Filesize
2.0MB

MD5
a9afb3764bfd4f4c2a6c5350a306fc52

SHA1
69f7a34fe37f64d236c5405c48b9ed39bbb5ec3a

SHA256
547c7eb254621fd8eb4ef3388034c3b906ba50c9635eb75e93e2227649076cdc

SHA512
95aa810f029dfbd1928a190516083caa6536462707fd1676736d8cce8554e1dccccba59735a6e7fa58c6f1538a19e2e006d90480de7be355552e925897745d70

Download Submit
\Users\Admin\AppData\Local\Temp\BacteriumPunch.a3x

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
memory/1080-0-0x00000000001D0000-0x000000000022E000-memory.dmp

Filesize
376KB

Download
memory/1080-1-0x000007FEF7B30000-0x000007FEF7C88000-memory.dmp

Filesize
1.3MB

Download
memory/1080-5-0x000007FEF7B49000-0x000007FEF7B4A000-memory.dmp

Filesize
4KB

Download
memory/1080-6-0x000007FEF7B30000-0x000007FEF7C88000-memory.dmp

Filesize
1.3MB

Download
memory/1080-10-0x000007FEF7B30000-0x000007FEF7C88000-memory.dmp

Filesize
1.3MB

Download
memory/1080-9-0x00000000001D0000-0x000000000022E000-memory.dmp

Filesize
376KB

Download
memory/1668-15-0x00000000751EE000-0x00000000751F0000-memory.dmp

Filesize
8KB

Download
memory/1668-14-0x00000000751E0000-0x0000000075354000-memory.dmp

Filesize
1.5MB

Download
memory/1668-16-0x00000000751E0000-0x0000000075354000-memory.dmp

Filesize
1.5MB

Download
memory/1668-12-0x0000000077850000-0x00000000779F9000-memory.dmp

Filesize
1.7MB

Download
memory/1668-23-0x00000000751E0000-0x0000000075354000-memory.dmp

Filesize
1.5MB

Download
memory/1668-24-0x00000000751EE000-0x00000000751F0000-memory.dmp

Filesize
8KB

Download
memory/2968-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2968-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2968-26-0x0000000000080000-0x00000000000F4000-memory.dmp

Filesize
464KB

Download
memory/2968-32-0x0000000000080000-0x00000000000F4000-memory.dmp

Filesize
464KB

Download
memory/2968-34-0x0000000000080000-0x00000000000F4000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing