5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148

General

Target

5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
Size

2.0MB
MD5

c09ced630ebb73f6486dfd4e269e9ec0
SHA1

c1eb6be0fcbb382ac8760e2a7fea9f3f2ff536b3
SHA256

5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148
SHA512

6b15a8e3c20975594a46244f8253d199eaa543d512a6f787ae91cb7aa1f66a0b38c49a7840109717712c66bf625c55971cb0274260f6a7d7cd8620a2b496699e
SSDEEP

49152:72EYTb8atv1orq+pEiSDTj1VyvBal2f/pWzLeO07B+Iy3AqMl1ZcK:qXbIrqH2f/pk07B+yqm1Z

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://my.cloudme.com/v1/ws2/:fullwin/:guide/guide.txt

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1804	InformationCheck.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1216	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InformationCheck.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1216	powershell.exe
1216	powershell.exe
1216	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2588	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
2588	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
2588	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2588	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
2588	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
2588	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1216	2588	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe	31
PID 2588 wrote to memory of 1216	2588	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe	31
PID 2588 wrote to memory of 1216	2588	5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe	31
PID 1216 wrote to memory of 1804	1216	powershell.exe	33
PID 1216 wrote to memory of 1804	1216	powershell.exe	33
PID 1216 wrote to memory of 1804	1216	powershell.exe	33
PID 1216 wrote to memory of 1804	1216	powershell.exe	33

C:\Users\Admin\AppData\Local\Temp\5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe
"C:\Users\Admin\AppData\Local\Temp\5da129956246583a0567afe92207df038bbfb4871fee70f3a62411c32aacf148N.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\ProfileDetails.ps1"
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Public\InformationCheck.exe
    "C:\Users\Public\InformationCheck.exe" C:\Users\Public\Details.au3
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Details.au3

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Users\Public\InformationCheck.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Public\ProfileDetails.ps1

Filesize
373B

MD5
81084e8a8b48ee1f368f0d1617cece99

SHA1
2d28e1b4bb91ccbfdc12ed886d6e98f869942af1

SHA256
981f871075ccd50cc80571406a5c3dea1467b39df050c46fbf1bbe256c0cb990

SHA512
46298a61eaf57b644410540f45ba5e32f0404c90e0ea26ae1b161a61e2b1720892627e4e3038a244110133b560e01cea3644c636a9084fa7e4c20fb7721181c0

Download Submit
memory/1216-6-0x000007FEF5EAE000-0x000007FEF5EAF000-memory.dmp

Filesize
4KB

Download
memory/1216-7-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1216-10-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-11-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-12-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-9-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-8-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1216-13-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-19-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing