f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4a

General

Target

f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe
Size

208KB
MD5

0b5bd65415b046d5dd22729b9b41c2f0
SHA1

854d7404e0ec81f4201dd77b715078e5b6e51287
SHA256

f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4a
SHA512

1142fa0d39804370241934cab2b2091e2580a77688ac293a3768eb4145a073c1a4fb5dd45befc60e4086e4b44c0fedeb25cc163bcb06f583740954be596b4c14
SSDEEP

3072:qlOmmjXaLd6ri9E1rpt2PCV3rM4tYmh9I5TrooO+8fACT4NLthEjQT6W:qwDnrJ1ryPCue+Vog84wQEjE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	EYFJWUB.exe

Loads dropped DLL 2 IoCs

pid	Process
2408	cmd.exe
2408	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\EYFJWUB.exe	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe
File opened for modification	C:\windows\SysWOW64\EYFJWUB.exe	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe
File created	C:\windows\SysWOW64\EYFJWUB.exe.bat	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EYFJWUB.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1736	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe
1736	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe
2860	EYFJWUB.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1736	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe
1736	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe
2860	EYFJWUB.exe
2860	EYFJWUB.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2408	1736	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe	30
PID 1736 wrote to memory of 2408	1736	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe	30
PID 1736 wrote to memory of 2408	1736	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe	30
PID 1736 wrote to memory of 2408	1736	f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe	30
PID 2408 wrote to memory of 2860	2408	cmd.exe	32
PID 2408 wrote to memory of 2860	2408	cmd.exe	32
PID 2408 wrote to memory of 2860	2408	cmd.exe	32
PID 2408 wrote to memory of 2860	2408	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe
"C:\Users\Admin\AppData\Local\Temp\f59849fc44a29a8813fe8d49e1d96cdb41199be5a12dc737872d9f8678e82d4aN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\EYFJWUB.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\windows\SysWOW64\EYFJWUB.exe
    C:\windows\system32\EYFJWUB.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\EYFJWUB.exe.bat

Filesize
78B

MD5
0b122b749cfa03bca1000c90d5841e84

SHA1
736e6acb6b433223d28f3b75bf4343bd947121f6

SHA256
aa202387727955d97dd5de55e19b8015f4b9f10ec7c3efabfcd500d1a562169e

SHA512
b50e130b1c0b9d3f6cc79ee8f6412da9d9b461fb507a634e2aa65e44b33ef5e745f5a6ebe8e80f2b6a69a4639800eb4bba02337cad9cd059781f3e855e8b469c

Download Submit
\Windows\SysWOW64\EYFJWUB.exe

Filesize
208KB

MD5
31490c8ec31bae12f7631abda719bb24

SHA1
90a8025786f4bfb7ea3be81f302522bb60d87ebc

SHA256
e6db85a1550978d6056cc0c954d454d6be441c2f06e01d897996e267ff0abd79

SHA512
c718fe0b54ac0f60410759e8864cb7398c19c3d6b446406f2eabdb30b1163063321061979b6a9a0a7bf44d523444e1bca01db8c42b4709767425011c4d0588f7

Download Submit
memory/1736-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1736-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2408-18-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/2408-17-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/2860-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2860-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing