db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572a

General

Target

db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe
Size

413KB
MD5

855571a9d5e3c3d9ac7a8ad4d8f0b870
SHA1

64777d1b77bfe4db2fcbc998e21e94654549a06c
SHA256

db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572a
SHA512

1aa8723a08fb53a9d91117e98be9797eb281a165dd69d4e81175bb1ea290068f616c0381a472bf846b8f6bfb213f27815e52e29d7a19e17d8873fb93b016f1d0
SSDEEP

6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUK:ITNYrnE3bm/CiejewY5vh

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ximo2ubzn1i.exe

pid	Process
2304	ximo2ubzn1i.exe

Loads dropped DLL 1 IoCs

Processes:

db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe

pid	Process
1976	db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\c5e4gxfvd4v = "C:\\Users\\Admin\\AppData\\Roaming\\c5e4gxfvd4v\\ximo2ubzn1i.exe"	db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exeximo2ubzn1i.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ximo2ubzn1i.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exeximo2ubzn1i.exe

description	pid	Process	procid_target
PID 1976 wrote to memory of 2304	1976	db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe	31
PID 1976 wrote to memory of 2304	1976	db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe	31
PID 1976 wrote to memory of 2304	1976	db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe	31
PID 1976 wrote to memory of 2304	1976	db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe	31
PID 2304 wrote to memory of 2172	2304	ximo2ubzn1i.exe	32
PID 2304 wrote to memory of 2172	2304	ximo2ubzn1i.exe	32
PID 2304 wrote to memory of 2172	2304	ximo2ubzn1i.exe	32
PID 2304 wrote to memory of 2172	2304	ximo2ubzn1i.exe	32
PID 2304 wrote to memory of 2172	2304	ximo2ubzn1i.exe	32
PID 2304 wrote to memory of 2172	2304	ximo2ubzn1i.exe	32
PID 2304 wrote to memory of 2172	2304	ximo2ubzn1i.exe	32

C:\Users\Admin\AppData\Local\Temp\db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe
"C:\Users\Admin\AppData\Local\Temp\db9f62728d3e0c52b71fe1a35ed80cbb1cf643ac2942da95c9fdc91a7cf5572aN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
  "C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe

Filesize
413KB

MD5
b10d7a9391e7e484f21c5f440d50a03f

SHA1
70c006168738bb4062e5bad75a52b9d7c0f8cad9

SHA256
34446973501d1d05066757b3a9fbd9ef7da75879790ddacc6bb0f6f2b0ef87ac

SHA512
3770592b191743acf2f6a6e317865d25eeac7283274f38e4b8fe7accac4cfc06f1075374239eeee2f3211ac7b9e0a9a201b6a12aec11c7ed544f0e5d0565fc9b

Download Submit
memory/1976-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x0000000000160000-0x00000000001CE000-memory.dmp

Filesize
440KB

Download
memory/1976-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/1976-3-0x0000000000730000-0x000000000076C000-memory.dmp

Filesize
240KB

Download
memory/1976-14-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-12-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-15-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-13-0x0000000000940000-0x00000000009AE000-memory.dmp

Filesize
440KB

Download
memory/2304-16-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-17-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads