6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22a

General

Target

6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe
Size

2.7MB
MD5

1013696a7112cad9d1175f876cc51db0
SHA1

c0ee1e1872ce56b8413e23d3c38633d33e04386f
SHA256

6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22a
SHA512

000a5b82add76991dd62a50c182ccbb60c028b92b05aaec5d1311db1f920a80574f243335c46580fab69df5a3d94028f19c0c5b0c32c8b6b7a8147c3b652d420
SSDEEP

49152:9WyT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:bTE66yXZ02DwUHoazRofxIhELjf/IVgs

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
532	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	Lisetta Margit.exe

Loads dropped DLL 6 IoCs

pid	Process
2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2540	2256	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lisetta Margit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
532	cmd.exe
1308	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1308	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe
2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe
2256	Lisetta Margit.exe
2256	Lisetta Margit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe
Token: SeIncBasePriorityPrivilege	2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe
Token: SeDebugPrivilege	2256	Lisetta Margit.exe
Token: SeIncBasePriorityPrivilege	2256	Lisetta Margit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2256	2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe	31
PID 2400 wrote to memory of 2256	2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe	31
PID 2400 wrote to memory of 2256	2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe	31
PID 2400 wrote to memory of 2256	2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe	31
PID 2400 wrote to memory of 532	2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe	32
PID 2400 wrote to memory of 532	2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe	32
PID 2400 wrote to memory of 532	2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe	32
PID 2400 wrote to memory of 532	2400	6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe	32
PID 532 wrote to memory of 1308	532	cmd.exe	34
PID 532 wrote to memory of 1308	532	cmd.exe	34
PID 532 wrote to memory of 1308	532	cmd.exe	34
PID 532 wrote to memory of 1308	532	cmd.exe	34
PID 2256 wrote to memory of 2540	2256	Lisetta Margit.exe	35
PID 2256 wrote to memory of 2540	2256	Lisetta Margit.exe	35
PID 2256 wrote to memory of 2540	2256	Lisetta Margit.exe	35
PID 2256 wrote to memory of 2540	2256	Lisetta Margit.exe	35

C:\Users\Admin\AppData\Local\Temp\6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe
"C:\Users\Admin\AppData\Local\Temp\6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\Lisetta Margit.exe
  "C:\Users\Admin\AppData\Local\Temp\Lisetta Margit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 808
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lisetta Margit.exe

Filesize
2.7MB

MD5
31811d0d9aa5a75b6783c65868647a1d

SHA1
2656507c0ea9e5f90e49a97c9141c50b6b350381

SHA256
8f3eed830f3715f35b35f308df2900017a7d4a3b9102675dd3244e5b9d023152

SHA512
dacbeb2145208278128e5371dc481702e6d8f97b0c32e74427960242c1c3537a6d7154d8995485b03fc409c816e49b555b91e4e04c9374bc10af6a4d51b07bfe

Download Submit
\Users\Admin\AppData\Local\Temp\Lisetta Margit.exe

Filesize
2.7MB

MD5
c1ba98174d982415698f3535ffbf59ca

SHA1
cbcc6771f778e27ff1033e919cdc2058c0cad68f

SHA256
b31364903ba0fac963e9fa46e6b7b95e62aeb58b2fb033982b9896fd57f2a344

SHA512
3d0ab01c90b23ed7c67bc48c286281e48197f92770626db7cd7cc639a0ee545314a76c9060837b06d91a63c1223a1f681b8b39dddaffea52600b42ddd27524cd

Download Submit
memory/2256-38-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-32-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-31-0x0000000001150000-0x0000000001412000-memory.dmp

Filesize
2.8MB

Download
memory/2256-29-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-3-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-5-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-4-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-30-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/2400-2-0x0000000006F80000-0x00000000071A4000-memory.dmp

Filesize
2.1MB

Download
memory/2400-1-0x0000000000CA0000-0x0000000000F62000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads