165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c

General

Target

165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
Size

2.7MB
MD5

6803679e27fec0fbbc90ad4d1c847b60
SHA1

4bcc7562edd3119175cbdbc34ab7f9b0635fcf3e
SHA256

165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c
SHA512

64c2dc052f662869021192199cccc61919a1baaa57fd08b4a25ac7e181f1f73b64ffc0fb38e468b7567f8e0d88194f080b2fc766b96a1cb219e4f9d7167e49bd
SSDEEP

49152:9ayT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:bTE66yXZ02DwUHoazRofxIhELjf/IVgs

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2952	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2964	Gray Harrie.exe

Loads dropped DLL 6 IoCs

pid	Process
1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2288	2964	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gray Harrie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2952	cmd.exe
2660	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2660	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
2964	Gray Harrie.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
Token: SeIncBasePriorityPrivilege	1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
Token: SeDebugPrivilege	2964	Gray Harrie.exe
Token: SeIncBasePriorityPrivilege	2964	Gray Harrie.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2964	1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe	32
PID 1960 wrote to memory of 2964	1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe	32
PID 1960 wrote to memory of 2964	1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe	32
PID 1960 wrote to memory of 2964	1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe	32
PID 1960 wrote to memory of 2952	1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe	33
PID 1960 wrote to memory of 2952	1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe	33
PID 1960 wrote to memory of 2952	1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe	33
PID 1960 wrote to memory of 2952	1960	165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe	33
PID 2952 wrote to memory of 2660	2952	cmd.exe	35
PID 2952 wrote to memory of 2660	2952	cmd.exe	35
PID 2952 wrote to memory of 2660	2952	cmd.exe	35
PID 2952 wrote to memory of 2660	2952	cmd.exe	35
PID 2964 wrote to memory of 2288	2964	Gray Harrie.exe	36
PID 2964 wrote to memory of 2288	2964	Gray Harrie.exe	36
PID 2964 wrote to memory of 2288	2964	Gray Harrie.exe	36
PID 2964 wrote to memory of 2288	2964	Gray Harrie.exe	36

C:\Users\Admin\AppData\Local\Temp\165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
"C:\Users\Admin\AppData\Local\Temp\165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\Gray Harrie.exe
  "C:\Users\Admin\AppData\Local\Temp\Gray Harrie.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 800
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gray Harrie.exe

Filesize
2.7MB

MD5
81b03ab00083414362440a7bb63246a5

SHA1
3cb1b962b7a9dad130acc60c6cf8b89c88955cea

SHA256
3e61705c4463b0c5d558fff9971adb7f8a38631133d19ddac7d523222b4c7f7d

SHA512
992aecf6aa389adec74b007fb8c4e20471a2a08bc342d2304d780c85a3daff28d85ff8424dc30cf7379c7112905d58443b499b86725472caf2f06978b0d1e2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gray Harrie.exe

Filesize
2.7MB

MD5
ea4dc5edd3f289be74e804c48df1ad8e

SHA1
d5a4bb084e8f0787e51f51d93fd2e246cbf21b3a

SHA256
04b1f57d6d1983833aaf25f17ae5989f5ad7b9fbf22648ae87afead44f5b0b55

SHA512
503af7dddcdd049a3166f2878ce2c0f252126beef855f3fb70c965d9908187a0b77e2ee9c11935be54e55401fe2619fc1a3d702e85dcce8fc79f35a5c3fe7f69

Download Submit
memory/1960-3-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

Filesize
4KB

Download
memory/1960-4-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-5-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-2-0x0000000007120000-0x0000000007344000-memory.dmp

Filesize
2.1MB

Download
memory/1960-1-0x0000000000A00000-0x0000000000CC2000-memory.dmp

Filesize
2.8MB

Download
memory/1960-31-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-30-0x00000000012F0000-0x00000000015B2000-memory.dmp

Filesize
2.8MB

Download
memory/2964-29-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-32-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-38-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads