850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3

General

Target

850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe
Size

37KB
MD5

922ddb400915ecc12148b5502b5b7748
SHA1

23048047f7fd4cbfa20269a89e9aa61ddc623815
SHA256

850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3
SHA512

b6e37b5b14f4451bc9f13aa056c489c887cfd6f9694d12ce8cacd4f1f4df546e72e32ae6bfe793ba496f62d6bf836307f181a2b6e85ed528d88f7bbc7b74e05d
SSDEEP

384:84Uo92aul8VctMCqTX3xAkSVE6B95rfRqzhBaSUR4WVJl/vrseE7GNb9n:84U6ulPg6XO66WRqUZ

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4740	4460	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2944	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	82
PID 1932 wrote to memory of 2944	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	82
PID 1932 wrote to memory of 2944	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	82
PID 2944 wrote to memory of 3984	2944	csc.exe	84
PID 2944 wrote to memory of 3984	2944	csc.exe	84
PID 2944 wrote to memory of 3984	2944	csc.exe	84
PID 1932 wrote to memory of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85
PID 1932 wrote to memory of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85
PID 1932 wrote to memory of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85
PID 1932 wrote to memory of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85
PID 1932 wrote to memory of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85
PID 1932 wrote to memory of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85
PID 1932 wrote to memory of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85
PID 1932 wrote to memory of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85
PID 1932 wrote to memory of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85
PID 1932 wrote to memory of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85
PID 1932 wrote to memory of 4460	1932	850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe	85

C:\Users\Admin\AppData\Local\Temp\850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe
"C:\Users\Admin\AppData\Local\Temp\850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ekaj1xzz\ekaj1xzz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES858B.tmp" "c:\Users\Admin\AppData\Local\Temp\ekaj1xzz\CSC6DB5DE00D2AB4B7C87B8D9E3C45E78E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 616
    3⤵
    - Program crash
    PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4460 -ip 4460
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES858B.tmp

Filesize
1KB

MD5
3fda785fecb3e8d3f4def1eaf45eb742

SHA1
9f3974b99f909968e5fdae4a669c5e536e24d5d6

SHA256
7fcce4fc6f8956471748c8f9cce64cd579a64e2cb7657aaf3f1103b88a33f8a8

SHA512
d7e11d53a27ddbe3e69056d30a602c1d8edacef887002d098c62a7bcb0cf3cb54c95417eb4a40fba1a068938c490938cbe04447c26e1e32d0eb035be088209b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekaj1xzz\ekaj1xzz.dll

Filesize
9KB

MD5
4fb69e4c9a8be816005ebee141f518e4

SHA1
3072e6d375b391d588846bc37198f275f757f811

SHA256
12f541d82e5d0f0b670b507158afc4159ac66e9dd964229f31a712fefbf23d16

SHA512
7f900cd83b1a45519a63055772c5e42ba0e8fd223313fd648e21270e8112e2a993f96ab953d6caac5526d94365c9382b551552df1bd00a0cf4fb9014a6db3a6c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ekaj1xzz\CSC6DB5DE00D2AB4B7C87B8D9E3C45E78E.TMP

Filesize
652B

MD5
f649aac3f2439c35b701ef60f95310c2

SHA1
b4003c85ba387d1565e02af49b276456b15cf7e1

SHA256
e67ba7d323aa9148274376e2a4a20e7fd39d42994c79255f6c4248e45a87d32f

SHA512
0bb29d9e70901b3776b536423cc3df9468cf72f9ab09def21e9daf2ded81eb07caa3aa9f7e1a9823fd89b2ba35ed44394d8e106e2df99b6173ad93fd7aa00eea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ekaj1xzz\ekaj1xzz.0.cs

Filesize
10KB

MD5
1b6ac34c4169b5a34200e793d21182e6

SHA1
7a195f13804f6d4f38774b2a94962faa2f6c03e6

SHA256
38eca887cb1764ceccab157b44915f0a41760c843c530a72d66ee414a9a61296

SHA512
454f50f81b31594855c7bf2b6168c7a4ead6e83e4c60cf7f49c54a4a6378ba7946b00b9336b3ffa9c390fc85ea4305577093411448a68cb0d8280b115ea0dd58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ekaj1xzz\ekaj1xzz.cmdline

Filesize
204B

MD5
270055309b577ca3f6cdd56397585add

SHA1
944d98fee2a871d42875ac358a05855073b0d054

SHA256
9e269f4655a050f03a7d23da6b71eb8ac596314538f6cb2f878e36a3e9149a42

SHA512
9511134cdf68f9ceaba1f3b341238683835bd788d6f5bc77dd39c9d828d64897e70b978185807f90d9e09a4940cb1af1a597734fc543f44dbbce52b81387e75a

Download Submit
memory/1932-0-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/1932-2-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/1932-1-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/1932-15-0x0000000005E20000-0x0000000005E28000-memory.dmp

Filesize
32KB

Download
memory/1932-23-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4460-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4460-19-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4460-20-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4460-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing