ebd08ccfa5568eeee226aa06397f877621b3ea4bc6590cc35bbfee56ab230d6d

General

Target

ebd08ccfa5568eeee226aa06397f877621b3ea4bc6590cc35bbfee56ab230d6dN.exe
Size

2.3MB
MD5

85134b1068ba18f9c908ccc455875770
SHA1

a6cd8e787a4c53c61193b6512e82e11163952775
SHA256

ebd08ccfa5568eeee226aa06397f877621b3ea4bc6590cc35bbfee56ab230d6d
SHA512

1fa85c7b599684cc115a92a28777ed29115f3595d9a291edf82d74b72f75744548b3b16b09d7c7833d7ba6be8ea0ca04cf86a8282dec576c2bfefe8f5370b7db
SSDEEP

49152:f1OsZ4FrDBfT/D4QhGdMIL3Eph5uvFvwQDSM+SG57UFuNemLoNBDIHhH8AF+:f1Os4JDBr/MaGdMq0wFoQD3oUFuAmEjB

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	tm-agent-remover.exe

Executes dropped EXE 2 IoCs

pid	Process
2300	tm-agent-remover.exe
5088	7a6ae2255c4b480b8724046a4a9d26bd.exe

Loads dropped DLL 3 IoCs

pid	Process
2300	tm-agent-remover.exe
2300	tm-agent-remover.exe
2300	tm-agent-remover.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebd08ccfa5568eeee226aa06397f877621b3ea4bc6590cc35bbfee56ab230d6dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tm-agent-remover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a6ae2255c4b480b8724046a4a9d26bd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2300	1196	ebd08ccfa5568eeee226aa06397f877621b3ea4bc6590cc35bbfee56ab230d6dN.exe	82
PID 1196 wrote to memory of 2300	1196	ebd08ccfa5568eeee226aa06397f877621b3ea4bc6590cc35bbfee56ab230d6dN.exe	82
PID 1196 wrote to memory of 2300	1196	ebd08ccfa5568eeee226aa06397f877621b3ea4bc6590cc35bbfee56ab230d6dN.exe	82
PID 2300 wrote to memory of 5088	2300	tm-agent-remover.exe	83
PID 2300 wrote to memory of 5088	2300	tm-agent-remover.exe	83
PID 2300 wrote to memory of 5088	2300	tm-agent-remover.exe	83

C:\Users\Admin\AppData\Local\Temp\ebd08ccfa5568eeee226aa06397f877621b3ea4bc6590cc35bbfee56ab230d6dN.exe
"C:\Users\Admin\AppData\Local\Temp\ebd08ccfa5568eeee226aa06397f877621b3ea4bc6590cc35bbfee56ab230d6dN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\7zS9D49.tmp\tm-agent-remover.exe
  .\tm-agent-remover.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\7a6ae2255c4b480b8724046a4a9d26bd.exe
    "C:\Users\Admin\AppData\Local\Temp\7a6ae2255c4b480b8724046a4a9d26bd.exe" --01
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7a6ae2255c4b480b8724046a4a9d26bd.exe

Filesize
6.1MB

MD5
99296aa145c422a0bb687bb1d8bb9744

SHA1
6fb638d62af27dd8d507b38f2f04e13cd125f2d8

SHA256
b9ff4485881eac76997ffdafc8a2429ca7d8b0003e082f96ae72b26930d3b2ef

SHA512
688d1db085a66377b3bcb2ee0ff88f09d94841724d135e4383812634fcfba29b8a4d0f8291fd856db8fb3a4d0c6f79f26a64802388d78761fe65c7ef077270a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9D49.tmp\rmvr.dll

Filesize
7.1MB

MD5
887044bfd11c65bd92488e8f92f5e757

SHA1
4b6e8b85f1d493dd2124453dd04df4121047f314

SHA256
93ba910a10eb1bd7b277ab66939c958ddbcff51f1fa58b85ece2d627165a0d14

SHA512
b806146b2f8c43c3ff84beb3f355fc9df70b6b9d5aa98cbbb13531d793c992dbb36d0ec096e1272b378de784fb28343c2caf69ad9fc01d31ab97b9583c509935

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9D49.tmp\tm-agent-remover.exe

Filesize
13KB

MD5
06203e59a31d5adab0ee4deba5292a6b

SHA1
baac5c9a6e2f55a77cee22ba8de76116eb58d8fe

SHA256
9bb4f099d1e6a4880651a5334595eee2a4ebf724dab51c6ea697bb0fecd45268

SHA512
1200be9c27a27e10b747bc366e7754560e3b528cec8dd5aea5e317eb4d6380c5e2380d50ff91fb9f3aa21c7c3de89ebcc4688912f210cf919f3b6ad7ce339127

Download Submit
memory/2300-15-0x0000000002E00000-0x0000000002E2E000-memory.dmp

Filesize
184KB

Download
memory/2300-13-0x0000000005C70000-0x0000000006392000-memory.dmp

Filesize
7.1MB

Download
memory/2300-14-0x0000000074F30000-0x0000000075652000-memory.dmp

Filesize
7.1MB

Download
memory/2300-10-0x000000007467E000-0x000000007467F000-memory.dmp

Filesize
4KB

Download
memory/2300-16-0x00000000063A0000-0x0000000006944000-memory.dmp

Filesize
5.6MB

Download
memory/2300-17-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/2300-18-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/2300-19-0x0000000005A70000-0x0000000005A7A000-memory.dmp

Filesize
40KB

Download
memory/2300-9-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/2300-25-0x0000000007830000-0x0000000007840000-memory.dmp

Filesize
64KB

Download
memory/2300-26-0x0000000007870000-0x0000000007892000-memory.dmp

Filesize
136KB

Download
memory/2300-27-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing