511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3

General

Target

511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.exe
Size

45.0MB
MD5

2735aa6b088eb9db69fbb5aee54f9518
SHA1

51b08327ca7e95998d6edb02cb635bd136f11def
SHA256

511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3
SHA512

e9611187c3295f5ed37bc3714ab5b14dd81ff46457a52575c1a58ae4f279ee5549a1d7510cb620188046a77906334bd76799295b0c3b5a47825a215e9db787d8
SSDEEP

786432:d/Zs2yAk/aI86tNyUP5VfoPYY73ZDgSgwiWYcjiil8stBnpfWeIn3fVkIlsWUsDb:d/Z3yAk/aVUxpoPYmPlPPx9G3fVgA4k

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
440	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
244	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4732	taskkill.exe
2068	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 440	2296	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.exe	81
PID 2296 wrote to memory of 440	2296	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.exe	81
PID 2296 wrote to memory of 440	2296	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.exe	81
PID 440 wrote to memory of 4732	440	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp	82
PID 440 wrote to memory of 4732	440	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp	82
PID 440 wrote to memory of 4732	440	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp	82
PID 440 wrote to memory of 2068	440	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp	85
PID 440 wrote to memory of 2068	440	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp	85
PID 440 wrote to memory of 2068	440	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp	85
PID 440 wrote to memory of 244	440	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp	87
PID 440 wrote to memory of 244	440	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp	87
PID 440 wrote to memory of 244	440	511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp	87

C:\Users\Admin\AppData\Local\Temp\511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.exe
"C:\Users\Admin\AppData\Local\Temp\511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\is-POBJ9.tmp\511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-POBJ9.tmp\511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp" /SL5="$40220,46398608,813568,C:\Users\Admin\AppData\Local\Temp\511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /F /im servers.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4732
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /F /im Telegram.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" delete WindowsTaskHostProcSvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-POBJ9.tmp\511267e4e58db76b91fd2e6fc561d58178d127de256864edd1d55980bd7662f3.tmp

Filesize
2.5MB

MD5
cbd88ebe6dd20ceb35e5773622452a33

SHA1
0fbce55cc0311b977484ed0f74e43a8c80884fc5

SHA256
fc251ad0fc9a6f44652e8d4b403318dffb6c7bacd472d85589658fe9f8e2bea2

SHA512
648340d42cf50dfe9673e050a42cb80b04f77fe77313bb9b4258875a76fcb81957c70303c23af26cb305ef8be8920824113812bee1b1cba5d90c1cfc79d46447

Download Submit
memory/440-6-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/440-9-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/2296-0-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2296-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2296-8-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download

Analysis

Sharing