357d48ac369c240b339687beb4daee4e4e6faf071b89bf60a4655025088e57ca

General

Target

$_3_.exe
Size

1.7MB
MD5

2ee2b50b5e4ca76e33244569b962c139
SHA1

2dc786b5da140ba79e6fd6288e8f6c34e0d8dab3
SHA256

d47132aafe3e47d4296266854582c3056bc527efcf2982652bd33e2108255b44
SHA512

cba8d1c5f9ee4102310acf8cb1990952611ccacb82d2ec7fc76741e0651a1569090d09af3408e45c79362d8a22d0643549a38115750de3536edad44241dd2f11
SSDEEP

49152:N7mrmYPoEHVGTWFkO4ITVpSuEqW/vrM3rA3SuNg:Wm2Z12WFYFXS

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$_3_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2468	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2468	$_3_.exe
2468	$_3_.exe
2468	$_3_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1976	2468	$_3_.exe	30
PID 2468 wrote to memory of 1976	2468	$_3_.exe	30
PID 2468 wrote to memory of 1976	2468	$_3_.exe	30
PID 2468 wrote to memory of 1976	2468	$_3_.exe	30

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2685.bat" "C:\Users\Admin\AppData\Local\Temp\D62A29958021465EA75DAC4C634EB027\""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\$IKV829T

Filesize
544B

MD5
a48aeaa31ac209139237ec187eba51f9

SHA1
e39a5980fa18f4f853b2bb67c58dc085ecf4b07f

SHA256
ecc0f244a8ec43b08a6947fadb74b2ed781ff17657941e8d42c3ffd39db42e31

SHA512
e5d606808191c56502417beeb3dd552850804d7be7f7690f8e173405631e5454d1cbe162a23967e9d2aafe09e9d749fd68a3ced0ead73fa2f449a83371668349

Download Submit
C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\$INI1JPG

Filesize
544B

MD5
788373d2353d491595b701c67e50b6e3

SHA1
8b2f163e685606f9166bd6839eea32c235692e81

SHA256
dab9e6ac05f025d34da3d9c8e82109bc41eb9213d99b77ad8584c81d4f3bf855

SHA512
b7141dfc17a57d2abbdb77dc7d13e24fcbea5e2f31b0c29948362701cfe95b384e2a4b6c925fa4f2851cffc152edc34b0ad701db0035f77676254be51479165f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2685.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\D62A29958021465EA75DAC4C634EB027\D62A29958021465EA75DAC4C634EB027_LogFile.txt

Filesize
3KB

MD5
ff9aad9ab3bf851d2e9456fe98ac245a

SHA1
5b7a25de61b335f9e7a5cd317ff6c97c03a4c648

SHA256
ffc6f560efd0f350eb6083c1351b72dbbeadc9a6f9e7e16b9d263aacfcd4ae12

SHA512
5ad2593a44618123b118d01725fdc71d3a1615ca6d08076386f316cbd89b64ea8e3b139154a7a4d8d5eb62904682883f7e07e9377f7d720707e2263def77cd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\D62A29958021465EA75DAC4C634EB027\D62A29958021465EA75DAC4C634EB027_LogFile.txt

Filesize
2KB

MD5
da251133acc52ed5e2b23a8a2da3897e

SHA1
48ced31df2255664a68aeb2922c4efaab0d8220f

SHA256
d000db7b58ba09b4422e99f4e2b6c3cc71ed57c8e3363485b449a8c233bee037

SHA512
b7e2dd7fe84367f224a0c488977a0723ab75f44e55baa3a5c4d221fb05db9a211a7b92cbfb44f0bda6ea06bd94caff90db8916ead09ddb2acb10345f39e1f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D62A29958021465EA75DAC4C634EB027\D62A29958021465EA75DAC4C634EB027_LogFile.txt

Filesize
4KB

MD5
c4bfca334f2a8e77defbc649f36fabf0

SHA1
da5827ffcd0a330737a98d247e874dce848d3572

SHA256
ed42d195ef4abf4f46d37a6e3fd6775b3da9a36cd37cf681907f35e18d0986da

SHA512
52b07db0afad615087970b086a6d1435e56f786e701c61d3152554908ababe00262e81b30d2dcc2450ee20d996af0ecfec4097f7b56a647db4c2230040511076

Download Submit
C:\Users\Admin\AppData\Local\Temp\D62A29958021465EA75DAC4C634EB027\D62A29~1.TXT

Filesize
30KB

MD5
ddba987992b7d1a23be8f6d21fa6efff

SHA1
35e7f40f7edbea7477d5760c91f73cd3e333e315

SHA256
1c41a83bfb6d3f339cca41d2f0089a4360a1217b8ad9a4950180a52af89b893b

SHA512
abad253828f666dda60c34066e12e4f3c63c0e85066d91b2e9d9eb6e99d0b1da2e00a8c85ca3a7db7b6f6b7b7652168c0c38dd8bbbf96eb1a6177e998e259495

Download Submit
memory/2468-63-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing