39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29

General

Target

39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe
Size

289KB
MD5

1bbf3d2f752c521719966873af4e9760
SHA1

ce3a55eaa4a5a53629a0614d3905c07de1f2fef1
SHA256

39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29
SHA512

04062dc3206d7c92c3e89a728012f2ba9d07f7cf46fea2dbe5a06f35f148c2b57ef184a5e1e72d8a80054c5813122a0db81479c8f0e9eb64d0b669d953ee362c
SSDEEP

6144:fiyz+vqfL+8OaAH2QYepZ3SgkECzJLaQVbU5:qgLOaybYeLdklJLJbU5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2456	TWF.exe

Loads dropped DLL 2 IoCs

pid	Process
868	cmd.exe
868	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\TWF.exe	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe
File opened for modification	C:\windows\SysWOW64\TWF.exe	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe
File created	C:\windows\SysWOW64\TWF.exe.bat	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TWF.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1724	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe
1724	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe
2456	TWF.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1724	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe
1724	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe
2456	TWF.exe
2456	TWF.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 868	1724	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe	30
PID 1724 wrote to memory of 868	1724	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe	30
PID 1724 wrote to memory of 868	1724	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe	30
PID 1724 wrote to memory of 868	1724	39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe	30
PID 868 wrote to memory of 2456	868	cmd.exe	32
PID 868 wrote to memory of 2456	868	cmd.exe	32
PID 868 wrote to memory of 2456	868	cmd.exe	32
PID 868 wrote to memory of 2456	868	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe
"C:\Users\Admin\AppData\Local\Temp\39842379b837ad89b30b0675f81ba5fc69beff3b24c954be8114850d7a9c1b29N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\TWF.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\windows\SysWOW64\TWF.exe
    C:\windows\system32\TWF.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\TWF.exe.bat

Filesize
70B

MD5
b532fc215ee64ef148a64161bb31a1bc

SHA1
2dc35004383b24e6044b57ae6316785842aabd08

SHA256
74171c5c001a93d9654ef0dc5a7e202023ac86386a97b55e6b3faf74954b14d8

SHA512
865920490c6ad77e2428f5bbf52481d9ea530398e9464f4b02da6156bbe603b00b1f8a850d6eddc28c4739b019b4e57d1e419b71f450a86b381be2c54d68ee65

Download Submit
C:\windows\SysWOW64\TWF.exe

Filesize
289KB

MD5
6d81e350f93a3881bddf60515532dc90

SHA1
f60ae752b96120185c416c887262542b7d8852fb

SHA256
1bcc1209affcf300e9257779b34745b3d1ea671c234042e8f025a2b2cb7962d9

SHA512
682f7070f48e39ff2f9c343f99b052ea326a9c0f35ee11744406f258a7706768250641d091d50bfff8a1f80de8a5d12ae0969439c5200a9af8c9bc7ae5e7ba4d

Download Submit
memory/868-18-0x0000000000180000-0x00000000001BF000-memory.dmp

Filesize
252KB

Download
memory/868-17-0x0000000000180000-0x00000000001BF000-memory.dmp

Filesize
252KB

Download
memory/1724-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing