a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8

General

Target

a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe
Size

73KB
MD5

007f73a29579e35a7de0a8eae965c830
SHA1

04223ebde7e886874af19adacf07748fcff2c926
SHA256

a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8
SHA512

f867d94a8b5edf2798f5ae7c01e432b3af617d1ecf362251eaa917cc8c3f5568d8339404ee39aa2ad75002f3316a043dffb5f435244c129bd3264ea8bf4e762a
SSDEEP

768:HJOfFEdN379p4GBSgkFVQWZEADDLmUeWQfB/2ieWQfB/2peWQfB/23eWQfB/2fGs:piaN37X4GpkFCVCLdKNrKNsKNaKNKX1B

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2720	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe
Token: SeDebugPrivilege	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2720	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe
2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2792	2720	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	30
PID 2720 wrote to memory of 2792	2720	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	30
PID 2720 wrote to memory of 2792	2720	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	30
PID 2720 wrote to memory of 2792	2720	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	30
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31
PID 2792 wrote to memory of 2844	2792	a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe	31

C:\Users\Admin\AppData\Local\Temp\a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe
"C:\Users\Admin\AppData\Local\Temp\a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2720
- C:\ProgramData\pcdfdata\a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe
  C:\ProgramData\pcdfdata\a0b3c177d22573f43ea223c13ebdb401ea0c9e325d2eec76bce49031697c13e8N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2720-1-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2720-0-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/2792-3-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2792-2-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing