67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56

General

Target

67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe
Size

404KB
MD5

1dbbf70bcb41e1848027232b2bedc0f2
SHA1

444fdab78a1aaaf777abb772d62eca28f9ffd470
SHA256

67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56
SHA512

283f36037c3fab94e54d2d304c722f1219bc7f12ef3c04245f45060124601b5c3b40f9f4f25105e835dcc4d82e49a3e19fb416a6a0e71f328a3cf257702d691d
SSDEEP

6144:Jla4A9VucHTW2VfgsYPk75lBfWFx+1TJq6OJoVQZ62wuEBV3i6OSbOytv:K9JojWtg6VSZy9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2752	Getting Things Done Outlook Add-In v2.00.0058(working crack).exe
2772	7za.exe
2560	ic1.exe

Loads dropped DLL 10 IoCs

pid	Process
2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe
2752	Getting Things Done Outlook Add-In v2.00.0058(working crack).exe
2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe
2752	Getting Things Done Outlook Add-In v2.00.0058(working crack).exe
2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe
2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe
2772	7za.exe
2772	7za.exe
2772	7za.exe
2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Getting Things Done Outlook Add-In v2.00.0058(working crack).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	Getting Things Done Outlook Add-In v2.00.0058(working crack).exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2752	Getting Things Done Outlook Add-In v2.00.0058(working crack).exe
2752	Getting Things Done Outlook Add-In v2.00.0058(working crack).exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2752	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	31
PID 2648 wrote to memory of 2752	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	31
PID 2648 wrote to memory of 2752	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	31
PID 2648 wrote to memory of 2752	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	31
PID 2648 wrote to memory of 2752	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	31
PID 2648 wrote to memory of 2752	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	31
PID 2648 wrote to memory of 2752	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	31
PID 2648 wrote to memory of 2772	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	32
PID 2648 wrote to memory of 2772	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	32
PID 2648 wrote to memory of 2772	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	32
PID 2648 wrote to memory of 2772	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	32
PID 2648 wrote to memory of 2772	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	32
PID 2648 wrote to memory of 2772	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	32
PID 2648 wrote to memory of 2772	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	32
PID 2648 wrote to memory of 2560	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	34
PID 2648 wrote to memory of 2560	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	34
PID 2648 wrote to memory of 2560	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	34
PID 2648 wrote to memory of 2560	2648	67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe	34

C:\Users\Admin\AppData\Local\Temp\67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe
"C:\Users\Admin\AppData\Local\Temp\67ad9109553facf7a647504bf296a0299e72882cd5d2a837fa1d87b17bdbaa56.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\Getting Things Done Outlook Add-In v2.00.0058(working crack).exe
  "C:\Users\Admin\AppData\Local\Temp\Getting Things Done Outlook Add-In v2.00.0058(working crack).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\ic1.exe
  "C:\Users\Admin\AppData\Local\Temp\ic1.exe"
  2⤵
  - Executes dropped EXE
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
7KB

MD5
f5112eb93372b965879f2d897b24e2a5

SHA1
727f3f176d7f95e66aeea223aaf708e31ae29b26

SHA256
32996b94d4f2f1c3611ad7ec66ec249f6477e2bba48d6b8c0dc92a00360363a7

SHA512
720816ac9ad40018f77206109ad8b91f5e95c7cffb4394d5de316da38218bfc573b4beb584dfdf2eb54632ebb5bc33878f16b1edbba9e8f5cc0296e9109aba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic1.exe

Filesize
18KB

MD5
b64b538899d4588a05d7d3db92918448

SHA1
b2d0b29a9c69bac6b22f696474eb031cca664f9a

SHA256
803abec016d53636f2817c972f2c769beb36501fc8bd30c73994958eb94cfb29

SHA512
ba4732c7a25dfdd636009a5ec8597e233c7c2b736b9c08a07dce13de70d9e0e08652b7f323ab590a29b57da12bf6a347675b2103bdfef06a80dbfd555ad09727

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
\Users\Admin\AppData\Local\Temp\Getting Things Done Outlook Add-In v2.00.0058(working crack).exe

Filesize
162KB

MD5
40727cbcc6ecd2441358c120c4b1c02e

SHA1
3c9e1863c2635f85c3d2c02d41090b8ed1e81e99

SHA256
09c6db5a1814e677cf2844b43d529aa60084edc16408b00fbe0d903230460616

SHA512
8c6273a68d48facafb9a535c299988b65c6ec3cb801b2dbcb1c08c22171dd2fcdfaac8f8934bfd88dab6342086eca1cb318d1c10c334e69270e9f732716160a7

Download Submit
\Users\Admin\AppData\Local\Temp\nsjEAAF.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
memory/2560-39-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing