353e4eff3a157ce281bc3452acfbe75c2f4b84fae99dbf1258276eb9b8db23c7

General

Target

$_3_.exe
Size

1.7MB
MD5

c4ca24ec91ced69fc98fac6fba21dc88
SHA1

b84f3a1ceef89673e31e0be210eb33d865d60659
SHA256

c690bea2115b2a16e23c845785772d14fdb978d32cb22bbbce83f53673eda821
SHA512

5783d1b8599d472039e9afca35590f76fe8930c73af4fa35fb796e819ca6d7219bd7ba1a0a6bcf3e8d76e9d873a078d74857a2318f8bbc3eca34c051a9ca4d41
SSDEEP

49152:27mrmYPoEHVGTWFkO4ITVpSuECY/vrM3rA3SuNM:Nm2Z12WFYFJ+

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$_3_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1776	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1776	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
264	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
264	$_3_.exe
264	$_3_.exe
264	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2592	264	$_3_.exe	32
PID 264 wrote to memory of 2592	264	$_3_.exe	32
PID 264 wrote to memory of 2592	264	$_3_.exe	32
PID 264 wrote to memory of 2592	264	$_3_.exe	32
PID 2592 wrote to memory of 1776	2592	cmd.exe	34
PID 2592 wrote to memory of 1776	2592	cmd.exe	34
PID 2592 wrote to memory of 1776	2592	cmd.exe	34
PID 2592 wrote to memory of 1776	2592	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\27157.bat" "C:\Users\Admin\AppData\Local\Temp\2BBFF3F753A14F0B8F86194D5B0FA6E7\""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\$I6TT47V

Filesize
544B

MD5
bdf98ce3e535a5ff025a63db40d73d67

SHA1
b0fdff6cb62cdb2eab77fa277d0cd9f7e9e17341

SHA256
b1f6f888216022c66567686f94408c35673fc6a9ce291fba3c595e5ffaa9cfb7

SHA512
76c25fd24ed39875c7f46c55ac4ffb150ef99605027859017f9c30e6ed7f2f3ab4a78f68ac9cbc8d7fb378912e511f054a61f6639f8ed105fd7513f067ccea5d

Download Submit
C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\$INNF4PY

Filesize
544B

MD5
8fe159918e0ad7816e2e2d86e7b69cd3

SHA1
593c04037374d652f489b5f04a9d75ddd9d145b6

SHA256
4eb94ebee7fee0c93393df3ff0ba87a6fa4087a63ed1056ec1fdce92a603dff6

SHA512
500b4538a55484d595c2d2e75f97a6e59bf1bbff927a6c7aedb02349f3adf60122b5a99cd2897f052aeb07832178d9748136c136f21385d2c3b69f1c74cab305

Download Submit
C:\Users\Admin\AppData\Local\Temp\27157.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BBFF3F753A14F0B8F86194D5B0FA6E7\2BBFF3F753A14F0B8F86194D5B0FA6E7_LogFile.txt

Filesize
3KB

MD5
165822976634fb0d0b35641d09ceb812

SHA1
ab05ea42eddc24e1ece6cc1f36fc614885b90aa0

SHA256
f9224c1cba39d9c862cb9de158ce8dae73c21f2c564e45ec922d13cb1d29331e

SHA512
654e37a5e285a9a639a16f62f7f17699549362205c6ffead9323f75118daa23f8bc742d24970217ba14942f587c94760565aea3a7bdea2982a4a15eaf35d34fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BBFF3F753A14F0B8F86194D5B0FA6E7\2BBFF3F753A14F0B8F86194D5B0FA6E7_LogFile.txt

Filesize
4KB

MD5
0ef36499b67321da825d260621949799

SHA1
2620971aeb64093a906d7868cbdc226f7c488837

SHA256
d1be8b552805ce0ef1b2d42876005a383f18b88b98ebd76c7020b833a138eb55

SHA512
373460abb2e877a06714243a8e83641d7af9cac0c3d8c0368c8067f1eecfa593b3ff3cbf69e7f5e29f9cdda968d80341261d9aba300218f4dc400a9ae187f085

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BBFF3F753A14F0B8F86194D5B0FA6E7\2BBFF3F753A14F0B8F86194D5B0FA6E7_LogFile.txt

Filesize
2KB

MD5
09247b521183b6331afee39f75c5a6c7

SHA1
d36aee1bc5394bb547635697c5883b528a467de6

SHA256
4e11496c08f189ed603b96538a069299adaaf2b5dfeb00b12d92adb8f14096f1

SHA512
97f7337922666fd0ae9f0ef6f9a34eb00aa61567a954cce383d5b981cd181eb47953c65c4aa2420095899b3bca8eed82b2a08e846f4b9450aa7d91e5bd640697

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BBFF3F753A14F0B8F86194D5B0FA6E7\2BBFF3~1.TXT

Filesize
31KB

MD5
316ffc68bc494396098f93435ffbcd1e

SHA1
9806e4039d166fe3c91097df427a4f941e98ca20

SHA256
45823d532e68a6071b4daa1e7aa252c313aa9c62891c3084952b045ea7fd32fd

SHA512
bb86ab153deafb8d8d563a91a8add593ed223a5c84a3dd12ac4ba62ae6d515889d6ad4a9906ca72db9062b32e70308ce2378ffe8d599e6e0d9ed17e869c18bbf

Download Submit
memory/264-67-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads