a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5b

General

Target

a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe
Size

208KB
MD5

d7e3b7840c38cbde3c8f0d0793d8e220
SHA1

9f508f8b8d3e6c99041c9dcfacd2d703d2b8af2d
SHA256

a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5b
SHA512

b84a1ad33b587a64684f901cb25c21c2a692e4e2d820a82484e17cec6e5287ee8b4a0cf1b96217763ca5970426ab0188bb8ed9953777417847433362086bbe58
SSDEEP

3072:+X1weiQuIe9rW2UFJ+h0u7aIXVDrxBe/r4NLthEjQT6W:celQuji3J+d+yPxkQEjE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1496	KXZKIJH.exe

Loads dropped DLL 2 IoCs

pid	Process
2568	cmd.exe
2568	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\KXZKIJH.exe	a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe
File opened for modification	C:\windows\system\KXZKIJH.exe	a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe
File created	C:\windows\system\KXZKIJH.exe.bat	a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KXZKIJH.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2548	a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe
1496	KXZKIJH.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2548	a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe
2548	a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe
1496	KXZKIJH.exe
1496	KXZKIJH.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2568	2548	a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe	30
PID 2548 wrote to memory of 2568	2548	a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe	30
PID 2548 wrote to memory of 2568	2548	a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe	30
PID 2548 wrote to memory of 2568	2548	a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe	30
PID 2568 wrote to memory of 1496	2568	cmd.exe	32
PID 2568 wrote to memory of 1496	2568	cmd.exe	32
PID 2568 wrote to memory of 1496	2568	cmd.exe	32
PID 2568 wrote to memory of 1496	2568	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe
"C:\Users\Admin\AppData\Local\Temp\a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\KXZKIJH.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\windows\system\KXZKIJH.exe
    C:\windows\system\KXZKIJH.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\KXZKIJH.exe.bat

Filesize
74B

MD5
3b4eae8567a0ddd5fbaad71ad409acdf

SHA1
3e37502140d7d7db4805fff1bdc236e63d619762

SHA256
49d9452072a96a0ef427da9939604192873a800dc83a8f101351b5b77fdcd809

SHA512
8d4b0f532591ed46d3b2467e1bf7612a7754e2f042fe469d093b66dfa061bf84b1bb34f1f1734e0e8dd587d2f4be313b22b129ebda4a0c082840f76a457f3579

Download Submit
\Windows\system\KXZKIJH.exe

Filesize
208KB

MD5
6e8ccdf91752bf26f3bb373da9892973

SHA1
efd1d3fc76de15b6404bede7623d68a33d4766ce

SHA256
096af9dda1a1999b33ca0b76f8bc93b2813c471fc1c8eeb4e029acc8b4d7a200

SHA512
6122684639a7b5d44f3519c9520d76392b67f90c05b39fc448ab3c9f53e0ad81ac959bb4bfed453387b5fc6b702a53caacfa664ef6f9fe09707b9e3beee03239

Download Submit
memory/1496-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2548-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2548-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2568-16-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing