4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153

General

Target

4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe
Size

208KB
MD5

9045694005a1f2f996d3fdab3d925560
SHA1

42acd7a2343265f64bdbe9ea8e0bc9a5eae1fd57
SHA256

4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153
SHA512

07fbe037bb72eaf6b2c9c5cdbafcf1446009886e36ed196e573885b50994a434fc33b07a6a80d044e3c4260a368efec3dc9ef84a889ffa57a8c443502b0142a9
SSDEEP

3072:5djpRllkwo8syI6IqSUEDjycJ/2Gk4C1o4NLthEjQT6c:5XRTkwMyI7BZ2LxoQEj+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1048	PORENUD.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	cmd.exe
2180	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\PORENUD.exe	4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe
File opened for modification	C:\windows\SysWOW64\PORENUD.exe	4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe
File created	C:\windows\SysWOW64\PORENUD.exe.bat	4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PORENUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1684	4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe
1048	PORENUD.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1684	4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe
1684	4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe
1048	PORENUD.exe
1048	PORENUD.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2180	1684	4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe	28
PID 1684 wrote to memory of 2180	1684	4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe	28
PID 1684 wrote to memory of 2180	1684	4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe	28
PID 1684 wrote to memory of 2180	1684	4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe	28
PID 2180 wrote to memory of 1048	2180	cmd.exe	30
PID 2180 wrote to memory of 1048	2180	cmd.exe	30
PID 2180 wrote to memory of 1048	2180	cmd.exe	30
PID 2180 wrote to memory of 1048	2180	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe
"C:\Users\Admin\AppData\Local\Temp\4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\PORENUD.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\windows\SysWOW64\PORENUD.exe
    C:\windows\system32\PORENUD.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PORENUD.exe.bat

Filesize
78B

MD5
e3b9af0262d437df2e6ad50703351fc2

SHA1
6782f7bed06b2d4505a4efe6e4a3deb296128e7f

SHA256
ea01b44c791bf1b09f3954dd6c7cd36c18f6c7e9414585eb94364f0b5cbf880e

SHA512
8ddf41a0075c59bcf81e1dfef13fa58cca122056294331f556d657615e1737f2883926eb1b3769ba73baeef65c841957080dc1a37ec103d7f73a1ed01fb00b16

Download Submit
\Windows\SysWOW64\PORENUD.exe

Filesize
208KB

MD5
df5dab4cf5812c172990ef8432315bd7

SHA1
c33c3bf1a50642b9a9757c42f32be5b8f7645f43

SHA256
d3484963c11dc32ad2705d313adb2ae8ced1f2fdb64d5628f5c5a5cfe907f123

SHA512
3e22b0c55354f2a51fc12ad6534b637b69ed16019994bc3953c2ab5f4f859283b059696ca29f9f1b9209e312b0a93eacd9e1874875e28cdfc77ebf95ee162daa

Download Submit
memory/1048-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1048-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1684-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1684-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing