4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434

General

Target

4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe
Size

208KB
MD5

76041d013ec747c05b3f72abfd684d4d
SHA1

384034d91f56f43cc5e3b6b73a49d10984cd2953
SHA256

4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434
SHA512

d7cdd83877923166da311e07b38e8aa3733d8ea93aacf05cdcd11e23ec2590a691690355a3d847daa6e863c3415802507a197f63cef0896d393aa935c6af085b
SSDEEP

3072:TYAamQZjGqd4l65adudBqd9H/7dA1MFIgrUi706oM1r6J6Kju4NLthEjQT6+:TYAamQgqew89igPA6JRyuQEjM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	DTNFB.exe

Loads dropped DLL 2 IoCs

pid	Process
2764	cmd.exe
2764	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\DTNFB.exe	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe
File opened for modification	C:\windows\system\DTNFB.exe	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe
File created	C:\windows\system\DTNFB.exe.bat	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DTNFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2780	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe
2780	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe
2756	DTNFB.exe
2756	DTNFB.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2780	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe
2780	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe
2756	DTNFB.exe
2756	DTNFB.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2764	2780	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe	31
PID 2780 wrote to memory of 2764	2780	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe	31
PID 2780 wrote to memory of 2764	2780	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe	31
PID 2780 wrote to memory of 2764	2780	4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe	31
PID 2764 wrote to memory of 2756	2764	cmd.exe	33
PID 2764 wrote to memory of 2756	2764	cmd.exe	33
PID 2764 wrote to memory of 2756	2764	cmd.exe	33
PID 2764 wrote to memory of 2756	2764	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe
"C:\Users\Admin\AppData\Local\Temp\4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\DTNFB.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\windows\system\DTNFB.exe
    C:\windows\system\DTNFB.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DTNFB.exe.bat

Filesize
70B

MD5
ba63c6f4ef3271bd742f32280a6164de

SHA1
e7017e0ef5676c3d76566fac8312bcc386327bf3

SHA256
0ece9f3bc93e52853b6f2acd408d5427a9d779f9aeb87699dbde136a93111742

SHA512
b77a4e99d45dc11915c5cbebb5bd64008dac0cc5ba05316edcddf0ac56f7e7e2a9388bfa278a770a3ef0558144fb54bea3f9f1e4831b50bdc437144ebf945539

Download Submit
\Windows\system\DTNFB.exe

Filesize
208KB

MD5
6f491bc60f69307e681abe972dfbb219

SHA1
c7188b877a6768da701e7c7cd472db2a4461adcb

SHA256
8e541650df92a0992688d94d9db2c5386e0419d223f5612f4af1d9bf36ae0075

SHA512
33792c117e894959a4d7767922662a0a9ad350aef1a3c9290ae82ebba2167ed33bd0792172d05b99d1e9f2042529520d335322f3a9f8d03a973d0166a7ed9e0b

Download Submit
memory/2756-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2756-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2764-18-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2764-17-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2780-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2780-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing