2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1b

General

Target

2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe
Size

514KB
MD5

17db37f7d173785f89d7e60b0c0e29a0
SHA1

6696317e13f1ac1f5a2094b1498e9f63b0fbf729
SHA256

2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1b
SHA512

51cf8903afb46eeed1a6d48eb071973b3ed7b3cc1e914ad42aec3a1239afe9b1fa9f7af054146d41c6ce79907cf3d3fd022146ab56522b1cbfffd365c0d07115
SSDEEP

6144:st9sTEckQEgdfHvkqFyMdFkuR7lQl/4sYdXj98:s6D3dfMqsMdOuRJQYX58

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
708	WJ7jzUkOo9ZKeWKI.exe

Executes dropped EXE 2 IoCs

pid	Process
3024	WJ7jzUkOo9ZKeWKI.exe
708	WJ7jzUkOo9ZKeWKI.exe

Loads dropped DLL 4 IoCs

pid	Process
1056	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe
1056	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe
708	WJ7jzUkOo9ZKeWKI.exe
708	WJ7jzUkOo9ZKeWKI.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a6gr4w6XBV3 = "C:\\ProgramData\\s3HEPuvVuNs1\\WJ7jzUkOo9ZKeWKI.exe"	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 1056	3044	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe	85
PID 3024 set thread context of 708	3024	WJ7jzUkOo9ZKeWKI.exe	87
PID 708 set thread context of 1408	708	WJ7jzUkOo9ZKeWKI.exe	88

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WJ7jzUkOo9ZKeWKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WJ7jzUkOo9ZKeWKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arh.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1056	3044	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe	85
PID 3044 wrote to memory of 1056	3044	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe	85
PID 3044 wrote to memory of 1056	3044	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe	85
PID 3044 wrote to memory of 1056	3044	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe	85
PID 3044 wrote to memory of 1056	3044	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe	85
PID 1056 wrote to memory of 3024	1056	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe	86
PID 1056 wrote to memory of 3024	1056	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe	86
PID 1056 wrote to memory of 3024	1056	2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe	86
PID 3024 wrote to memory of 708	3024	WJ7jzUkOo9ZKeWKI.exe	87
PID 3024 wrote to memory of 708	3024	WJ7jzUkOo9ZKeWKI.exe	87
PID 3024 wrote to memory of 708	3024	WJ7jzUkOo9ZKeWKI.exe	87
PID 3024 wrote to memory of 708	3024	WJ7jzUkOo9ZKeWKI.exe	87
PID 3024 wrote to memory of 708	3024	WJ7jzUkOo9ZKeWKI.exe	87
PID 708 wrote to memory of 1408	708	WJ7jzUkOo9ZKeWKI.exe	88
PID 708 wrote to memory of 1408	708	WJ7jzUkOo9ZKeWKI.exe	88
PID 708 wrote to memory of 1408	708	WJ7jzUkOo9ZKeWKI.exe	88
PID 708 wrote to memory of 1408	708	WJ7jzUkOo9ZKeWKI.exe	88
PID 708 wrote to memory of 1408	708	WJ7jzUkOo9ZKeWKI.exe	88

C:\Users\Admin\AppData\Local\Temp\2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe
"C:\Users\Admin\AppData\Local\Temp\2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe
  "C:\Users\Admin\AppData\Local\Temp\2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1bN.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\ProgramData\s3HEPuvVuNs1\WJ7jzUkOo9ZKeWKI.exe
    "C:\ProgramData\s3HEPuvVuNs1\WJ7jzUkOo9ZKeWKI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\ProgramData\s3HEPuvVuNs1\WJ7jzUkOo9ZKeWKI.exe
      "C:\ProgramData\s3HEPuvVuNs1\WJ7jzUkOo9ZKeWKI.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:708
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe" /i:708
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\s3HEPuvVuNs1\RCX949F.tmp

Filesize
514KB

MD5
4a6cfdd2cba1eae4c6698b83165fa2b1

SHA1
f91ac429a5acaf1fc23cf690fa8a5745ec95f502

SHA256
29e1fdbb0591a655812e3f108f14949259738be0fafba6bc5ca3b527053d86dd

SHA512
2cb6d38f43e11b82d503e75306a9269a44207c7384c014f85376c962b63d74edb0eb8f627d40d1f83825e346d78e3ecb7a0721166d1d57f41583079ed8c75303

Download Submit
C:\ProgramData\s3HEPuvVuNs1\WJ7jzUkOo9ZKeWKI.exe

Filesize
514KB

MD5
17db37f7d173785f89d7e60b0c0e29a0

SHA1
6696317e13f1ac1f5a2094b1498e9f63b0fbf729

SHA256
2d1a78155a04aa5de4ff7df1c8fcf2ab68018c0393dff9073b591108d6976d1b

SHA512
51cf8903afb46eeed1a6d48eb071973b3ed7b3cc1e914ad42aec3a1239afe9b1fa9f7af054146d41c6ce79907cf3d3fd022146ab56522b1cbfffd365c0d07115

Download Submit
memory/708-29-0x0000000076590000-0x0000000076680000-memory.dmp

Filesize
960KB

Download
memory/708-41-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/708-43-0x0000000076590000-0x0000000076680000-memory.dmp

Filesize
960KB

Download
memory/1056-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1056-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1056-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1056-5-0x0000000076590000-0x0000000076680000-memory.dmp

Filesize
960KB

Download
memory/1056-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1056-21-0x0000000076590000-0x0000000076680000-memory.dmp

Filesize
960KB

Download
memory/1408-40-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3024-28-0x0000000076590000-0x0000000076680000-memory.dmp

Filesize
960KB

Download
memory/3024-25-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3024-22-0x0000000076590000-0x0000000076680000-memory.dmp

Filesize
960KB

Download
memory/3044-0-0x00000000765B0000-0x00000000765B1000-memory.dmp

Filesize
4KB

Download
memory/3044-4-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads