5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593d

General

Target

5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
Size

289KB
MD5

94796ee5b62354f967affb902485a930
SHA1

97d2b3b229463ed26b06e99969cf4e834fad8188
SHA256

5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593d
SHA512

dcc9cab77d07df9200e7f6e648b9b0302047407394ddb962086ae4ea919ba8c02ee85e34829f351a3c554a93d5c27dacdbed142476e662a49648dc3623e940bb
SSDEEP

6144:UOIHIBVw49kOBGOFDw6pskECzJLaQVbU5:UroLJFE6qklJLJbU5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	UDXSU.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	cmd.exe
2752	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\UDXSU.exe	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
File opened for modification	C:\windows\SysWOW64\UDXSU.exe	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
File created	C:\windows\SysWOW64\UDXSU.exe.bat	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UDXSU.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2652	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
2652	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
2696	UDXSU.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2652	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
2652	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
2696	UDXSU.exe
2696	UDXSU.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2752	2652	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe	30
PID 2652 wrote to memory of 2752	2652	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe	30
PID 2652 wrote to memory of 2752	2652	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe	30
PID 2652 wrote to memory of 2752	2652	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe	30
PID 2752 wrote to memory of 2696	2752	cmd.exe	32
PID 2752 wrote to memory of 2696	2752	cmd.exe	32
PID 2752 wrote to memory of 2696	2752	cmd.exe	32
PID 2752 wrote to memory of 2696	2752	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
"C:\Users\Admin\AppData\Local\Temp\5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\UDXSU.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\windows\SysWOW64\UDXSU.exe
    C:\windows\system32\UDXSU.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\UDXSU.exe.bat

Filesize
74B

MD5
469773c65fe3b78eb6a80bfa8b58d74e

SHA1
829863dd14e429b48a886cee80d753faff6309de

SHA256
a492231f3b71bebcf49b366fa905dd1e818b1699250dd641649fba1600c0a3c6

SHA512
4a8a0e6742f68715e37b972bb029d69ce595ee34dd3469fdb1b8ceae0ea3e07ae6a077719385d07b6fac3f41fbd73388404c5dac96ca307f0e8b462daebb1796

Download Submit
\Windows\SysWOW64\UDXSU.exe

Filesize
289KB

MD5
2f2d336d3f4450407e469b52742adfa3

SHA1
aadcca773b3ddea30dff00930003c2e3c6f2c891

SHA256
190a14145be68da3a58a98d9c407ed5bddd0d2d31559c11b4e994f2713e0d715

SHA512
946e20b812c5274cc0782f5091483073da4ebefeb5f700937b42d5f0247d6347ac2243804c43a5a86b515d2c75840abe577eaa04936177d761e6315c037d6b5d

Download Submit
memory/2652-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2752-18-0x0000000000580000-0x00000000005BF000-memory.dmp

Filesize
252KB

Download
memory/2752-16-0x0000000000580000-0x00000000005BF000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing