f0c7a98e2dd66f881e4d0a21029f792801c98f5484fe1b61b64816bcc3313ab1

General

Target

ce4d925085b8ee3ac8d0a2b9.exe
Size

35.1MB
MD5

f4a475680175eebab6bf2f27791c72c6
SHA1

f0296bace10541878c87af116c2e16c2a30107e7
SHA256

f0c7a98e2dd66f881e4d0a21029f792801c98f5484fe1b61b64816bcc3313ab1
SHA512

049cac95aeb23b1a27c9c8c6b35424e3dc6c5e9ca98eae5ef254f6c79ee6263e2172cb5c7b49d3a35438169892d0dc805ed7fe3a79d483d25472a8cc10c6cc99
SSDEEP

786432:pgxUHZJz7EzohbhFMBGVKvz9MmsFq/2XCppwm:9Zd6ghCfhwFq/6Cppwm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2288	ce4d925085b8ee3ac8d0a2b9.exe
2996	ce4d925085b8ee3ac8d0a2b9.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	ce4d925085b8ee3ac8d0a2b9.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	ce4d925085b8ee3ac8d0a2b9.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce4d925085b8ee3ac8d0a2b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce4d925085b8ee3ac8d0a2b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce4d925085b8ee3ac8d0a2b9.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2016	ce4d925085b8ee3ac8d0a2b9.exe
2016	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2288	ce4d925085b8ee3ac8d0a2b9.exe
2996	ce4d925085b8ee3ac8d0a2b9.exe
2996	ce4d925085b8ee3ac8d0a2b9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2288	2016	ce4d925085b8ee3ac8d0a2b9.exe	30
PID 2016 wrote to memory of 2288	2016	ce4d925085b8ee3ac8d0a2b9.exe	30
PID 2016 wrote to memory of 2288	2016	ce4d925085b8ee3ac8d0a2b9.exe	30
PID 2016 wrote to memory of 2288	2016	ce4d925085b8ee3ac8d0a2b9.exe	30
PID 2288 wrote to memory of 2996	2288	ce4d925085b8ee3ac8d0a2b9.exe	32
PID 2288 wrote to memory of 2996	2288	ce4d925085b8ee3ac8d0a2b9.exe	32
PID 2288 wrote to memory of 2996	2288	ce4d925085b8ee3ac8d0a2b9.exe	32
PID 2288 wrote to memory of 2996	2288	ce4d925085b8ee3ac8d0a2b9.exe	32

C:\Users\Admin\AppData\Local\Temp\ce4d925085b8ee3ac8d0a2b9.exe
"C:\Users\Admin\AppData\Local\Temp\ce4d925085b8ee3ac8d0a2b9.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- \??\c:\users\admin\appdata\local\temp\ce4d925085b8ee3ac8d0a2b9.exe
  c:\users\admin\appdata\local\temp\ce4d925085b8ee3ac8d0a2b9.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2288
- - \??\c:\users\admin\appdata\local\temp\ce4d925085b8ee3ac8d0a2b9.exe
    c:\users\admin\appdata\local\temp\ce4d925085b8ee3ac8d0a2b9.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
9316b3cb19e7b967dc871b8b9ded4e75

SHA1
a73527af85bffaf2224a85bc433abd1d67b7a8aa

SHA256
be31490bf5903aae4a51dcdd1cb3e855644f43354b6b39d5b8e34739acf22592

SHA512
f14bd1dbb7f05b1cb2ebfcd05220a3eb94753a15303513d2fe73915e3f85ab2332f022d30169a051f0113698aed43ead029d7e02dd63b8386141a85ebc364b57

Download Submit
\Users\Admin\AppData\Local\Temp\ce4d925085b8ee3ac8d0a2b9.exe

Filesize
35.0MB

MD5
d854082bdab41528d5b07ce3896588d0

SHA1
fddfef138e7310816c4eca5d4939fd47b77efae3

SHA256
741f1d0f1ea2d4e0ce33195cf521f21ef05589db78a323820bf4c3673f7d2eef

SHA512
1f6d9d8649617e9b494568a6382439cfcf5cc67aa0c4bcc87dcd7a8fe5a5bd1be966664a010efffd03b50dfc208d55249daa0e2442476615266c4dce5cc216bd

Download Submit
memory/2016-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2016-7-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2016-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2288-18-0x00000000025A0000-0x00000000025BF000-memory.dmp

Filesize
124KB

Download
memory/2288-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2996-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing