0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61b

General

Target

0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
Size

208KB
MD5

055ec5cf1c55ba392c43ee2ef772cf30
SHA1

a205132a89d5cfc0c6dc6c17d31dc2273a3f7503
SHA256

0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61b
SHA512

1c01d8cbd71df0b48521affb97db68800477c01ca06743866dd91db311248e8eed365e0e438a4e07d93824d74a518a2e55fa33f27c9c4837c78387aeae3d2bce
SSDEEP

3072:7MBIT2UDUZ6AIps1kpJhODQCtMaAaafCyHkLRvJ4NLthEjQT6c:73Ty+lyQfC1QEj+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2448	UCHKKWG.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\UCHKKWG.exe	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
File opened for modification	C:\windows\UCHKKWG.exe	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
File created	C:\windows\UCHKKWG.exe.bat	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UCHKKWG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
596	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
596	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
2448	UCHKKWG.exe
2448	UCHKKWG.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
596	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
596	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
2448	UCHKKWG.exe
2448	UCHKKWG.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 2968	596	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe	31
PID 596 wrote to memory of 2968	596	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe	31
PID 596 wrote to memory of 2968	596	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe	31
PID 596 wrote to memory of 2968	596	0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe	31
PID 2968 wrote to memory of 2448	2968	cmd.exe	33
PID 2968 wrote to memory of 2448	2968	cmd.exe	33
PID 2968 wrote to memory of 2448	2968	cmd.exe	33
PID 2968 wrote to memory of 2448	2968	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
"C:\Users\Admin\AppData\Local\Temp\0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\UCHKKWG.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\windows\UCHKKWG.exe
    C:\windows\UCHKKWG.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\UCHKKWG.exe

Filesize
208KB

MD5
5951a4ee2875f14e993ac83b78f15966

SHA1
9360ff48d82cd20bad43ef79fde05268c5d59bd0

SHA256
d217db57c420b0852577fbfcee1e2484519c22d1db40119589094f594d99efc8

SHA512
75ce76f6da9d7cc106a142a458edd5b7fc50ad551078a50b7f1b7749602cd686be6bb6b7188f361d5859f4537755756bc0fb12697b2cfcfac29bf16e94c96570

Download Submit
C:\Windows\UCHKKWG.exe.bat

Filesize
60B

MD5
853cbc014ad736f353978a62dddd67e6

SHA1
b8014e0211a7f5bddaaa7c26476d79f1a78d8646

SHA256
c8a1cba8effc943e5508b4ed94bf03562477653ef0666d6d4a3ae6a70b784243

SHA512
4b383260bd07d6bf192fa909f10220dfed917694156f2cbd7136a343e752e0c6bf495b0e923ca9442a56829a0e5e4f999df21ca32ff361ef0a9ba3d509817e02

Download Submit
memory/596-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/596-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2448-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2968-15-0x00000000001D0000-0x0000000000208000-memory.dmp

Filesize
224KB

Download
memory/2968-16-0x00000000001D0000-0x0000000000208000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing