1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83

General

Target

1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe
Size

389KB
MD5

d20d9d202c340b981989854985589930
SHA1

661707f5264c6bb231e7af829bb9fdfb9567bb70
SHA256

1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83
SHA512

2d7b7c84294ae21ea54f8d92f425ac2244721bb3358d3f3689edfc4adeb3a7c6c5ff8a307d33d053d0ee399e0c32d5344e337315d88ba982fe669c4b27101ab6
SSDEEP

6144:5zt17PeiSRnjRqhl/ZvljlR2w/AG0H8guWhIi9fU:5pZPgBl8lZvxix9c

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2416	a975l5GH0AdQ25.exe

Executes dropped EXE 2 IoCs

pid	Process
1248	a975l5GH0AdQ25.exe
2416	a975l5GH0AdQ25.exe

Loads dropped DLL 5 IoCs

pid	Process
2252	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe
2252	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe
2252	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe
1248	a975l5GH0AdQ25.exe
2416	a975l5GH0AdQ25.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WSQ6pint = "C:\\ProgramData\\7XWOn94vymA0bxZ\\a975l5GH0AdQ25.exe"	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 2252	2236	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe	30
PID 1248 set thread context of 2416	1248	a975l5GH0AdQ25.exe	32
PID 2416 set thread context of 2012	2416	a975l5GH0AdQ25.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a975l5GH0AdQ25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a975l5GH0AdQ25.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2252	2236	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe	30
PID 2236 wrote to memory of 2252	2236	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe	30
PID 2236 wrote to memory of 2252	2236	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe	30
PID 2236 wrote to memory of 2252	2236	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe	30
PID 2236 wrote to memory of 2252	2236	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe	30
PID 2236 wrote to memory of 2252	2236	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe	30
PID 2252 wrote to memory of 1248	2252	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe	31
PID 2252 wrote to memory of 1248	2252	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe	31
PID 2252 wrote to memory of 1248	2252	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe	31
PID 2252 wrote to memory of 1248	2252	1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe	31
PID 1248 wrote to memory of 2416	1248	a975l5GH0AdQ25.exe	32
PID 1248 wrote to memory of 2416	1248	a975l5GH0AdQ25.exe	32
PID 1248 wrote to memory of 2416	1248	a975l5GH0AdQ25.exe	32
PID 1248 wrote to memory of 2416	1248	a975l5GH0AdQ25.exe	32
PID 1248 wrote to memory of 2416	1248	a975l5GH0AdQ25.exe	32
PID 1248 wrote to memory of 2416	1248	a975l5GH0AdQ25.exe	32
PID 2416 wrote to memory of 2012	2416	a975l5GH0AdQ25.exe	33
PID 2416 wrote to memory of 2012	2416	a975l5GH0AdQ25.exe	33
PID 2416 wrote to memory of 2012	2416	a975l5GH0AdQ25.exe	33
PID 2416 wrote to memory of 2012	2416	a975l5GH0AdQ25.exe	33
PID 2416 wrote to memory of 2012	2416	a975l5GH0AdQ25.exe	33
PID 2416 wrote to memory of 2012	2416	a975l5GH0AdQ25.exe	33
PID 2416 wrote to memory of 2012	2416	a975l5GH0AdQ25.exe	33
PID 2416 wrote to memory of 2012	2416	a975l5GH0AdQ25.exe	33
PID 2416 wrote to memory of 2012	2416	a975l5GH0AdQ25.exe	33

C:\Users\Admin\AppData\Local\Temp\1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe
"C:\Users\Admin\AppData\Local\Temp\1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83N.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\ProgramData\7XWOn94vymA0bxZ\a975l5GH0AdQ25.exe
    "C:\ProgramData\7XWOn94vymA0bxZ\a975l5GH0AdQ25.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\ProgramData\7XWOn94vymA0bxZ\a975l5GH0AdQ25.exe
      "C:\ProgramData\7XWOn94vymA0bxZ\a975l5GH0AdQ25.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Program Files (x86)\Internet Explorer\ieinstal.exe
        
        "C:\Program Files (x86)\Internet Explorer\ieinstal.exe" /i:2416
        5⤵
        
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\7XWOn94vymA0bxZ\RCXBD47.tmp

Filesize
389KB

MD5
3f30f0ef691be26b6b1c1649f604ce97

SHA1
87fe2ac07a4bcc86bb6557e3beca15a60136edb8

SHA256
f81a80fadab5259af494f7a2ea5d71f63ee1990a745afa07b01cdc08c1b3638d

SHA512
dd575ed52699e069f6c4fa394f582bc103d1aa75f366a5bfe9bd5f498ec982e86f99ef0644ca46aa8e168e5a95f09153ddd9639cc79c3fd30d36b1be064eb45d

Download Submit
\ProgramData\7XWOn94vymA0bxZ\a975l5GH0AdQ25.exe

Filesize
389KB

MD5
d20d9d202c340b981989854985589930

SHA1
661707f5264c6bb231e7af829bb9fdfb9567bb70

SHA256
1e66021303620656aeacc14faa7bd8a2e0f554cd57cec192e7e6960c249cca83

SHA512
2d7b7c84294ae21ea54f8d92f425ac2244721bb3358d3f3689edfc4adeb3a7c6c5ff8a307d33d053d0ee399e0c32d5344e337315d88ba982fe669c4b27101ab6

Download Submit
memory/1248-35-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1248-38-0x0000000076350000-0x0000000076460000-memory.dmp

Filesize
1.1MB

Download
memory/2012-51-0x0000000076350000-0x0000000076460000-memory.dmp

Filesize
1.1MB

Download
memory/2012-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2236-0-0x0000000076361000-0x0000000076362000-memory.dmp

Filesize
4KB

Download
memory/2236-6-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2252-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2252-12-0x0000000076350000-0x0000000076460000-memory.dmp

Filesize
1.1MB

Download
memory/2252-27-0x0000000076350000-0x0000000076460000-memory.dmp

Filesize
1.1MB

Download
memory/2252-24-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2252-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2252-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2252-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2252-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2416-52-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2416-54-0x0000000076350000-0x0000000076460000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads