173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1

General

Target

173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
Size

1.4MB
MD5

2ed5a214f96d2c1cab7979e824e77d60
SHA1

cf8af03123ccb03578f8824526c9fc15f185b25d
SHA256

173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1
SHA512

010c391bace723f10248c19c84942277b953aede6192584da14b95ac2e0c54d7545fc91b739e06617ad638259ff3720ba2140f3a6a9294e736c625d64475cb76
SSDEEP

24576:L8dvIOVmW6AbPsArkueRKmV3sNlHXdmMovDevm:LowONbkBuyKmBs7YjS+

Score

7^/10

Malware Config

Signatures

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app_signed.exe	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app_signed.exe	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe

Executes dropped EXE 2 IoCs

pid	Process
2584	app.exe
1488	app.exe

Loads dropped DLL 1 IoCs

pid	Process
2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\app.exe"	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 1488	2584	app.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
2584	app.exe
2584	app.exe
2584	app.exe
2584	app.exe
2584	app.exe
2584	app.exe
2584	app.exe
2584	app.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
Token: SeDebugPrivilege	2584	app.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1488	app.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2584	2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe	31
PID 2452 wrote to memory of 2584	2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe	31
PID 2452 wrote to memory of 2584	2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe	31
PID 2452 wrote to memory of 2584	2452	173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe	31
PID 2584 wrote to memory of 1488	2584	app.exe	33
PID 2584 wrote to memory of 1488	2584	app.exe	33
PID 2584 wrote to memory of 1488	2584	app.exe	33
PID 2584 wrote to memory of 1488	2584	app.exe	33
PID 2584 wrote to memory of 1488	2584	app.exe	33
PID 2584 wrote to memory of 1488	2584	app.exe	33
PID 2584 wrote to memory of 1488	2584	app.exe	33
PID 2584 wrote to memory of 1488	2584	app.exe	33
PID 2584 wrote to memory of 1488	2584	app.exe	33

C:\Users\Admin\AppData\Local\Temp\173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
"C:\Users\Admin\AppData\Local\Temp\173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1488
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
    3⤵
    PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab61A0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe

Filesize
1.4MB

MD5
9c36d1ff79c63405ea213dc26f736009

SHA1
22b82a47a56f719bd4f869bdf047086508b533f5

SHA256
12930731171e43b7638aafa3faed775be54adea1186682caf189844ea3bdb51d

SHA512
2b5ca96508a1ccc61600dda124cb2e9d2a848e8416bd2e4cecebc3df143cfcbdb723da96983e7f25f53da60d6cb178b9057ca2bde4e4d023c023f0425a57d1fb

Download Submit
memory/1488-49-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1488-45-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1488-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1488-56-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1488-58-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1488-53-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1488-47-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1488-50-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2452-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

Filesize
4KB

Download
memory/2452-10-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-29-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-9-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-11-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-42-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-43-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-41-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-32-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-30-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-59-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads