91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61

General

Target

91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe
Size

1.6MB
MD5

1b3c8e6b94bf629737f0844845195890
SHA1

d3e0eb6648b27afc461624fda41368289a164af0
SHA256

91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61
SHA512

84f395f42b3574d2bb215e5cb2bab97d9b3ef4c270a8a2d13639c668ee4d57c9160215754756df972de807cb547f3d7969eed998085f311219056709af917d99
SSDEEP

24576:gawwKusHwEwS2yGqKLzO6I6h6gEGe/NIsWvMyCShxiH:wwREDe4Shv2NuMsiH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2656	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.tmp

Loads dropped DLL 2 IoCs

pid	Process
2232	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe
2656	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2656	2232	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe	31
PID 2232 wrote to memory of 2656	2232	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe	31
PID 2232 wrote to memory of 2656	2232	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe	31
PID 2232 wrote to memory of 2656	2232	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe	31
PID 2232 wrote to memory of 2656	2232	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe	31
PID 2232 wrote to memory of 2656	2232	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe	31
PID 2232 wrote to memory of 2656	2232	91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe	31

C:\Users\Admin\AppData\Local\Temp\91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe
"C:\Users\Admin\AppData\Local\Temp\91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\is-L1TDG.tmp\91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-L1TDG.tmp\91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.tmp" /SL5="$110152,865850,776192,C:\Users\Admin\AppData\Local\Temp\91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-8BP6D.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-L1TDG.tmp\91be3d33127f076d8aaac7fc77d3b08705774fb3eb91f297ee935f96fd40ad61.tmp

Filesize
3.0MB

MD5
adb10f3b0d566b92eafcefdca6b906d7

SHA1
fa50ed8676162db378a8862915a31c8340066c12

SHA256
2f9fe51c7c7bf3286cf43abc99b89687778616c344b023dd03bd8e08ed31fe92

SHA512
0da58c71f0c9e5f8b5dc4a6a3ec55a33ea2e2acf36161c225ec5cb21b47b0b99753935b278253f57e5fbb4a8aa8da44562acd56903aa88a7862d2c1150071dd5

Download Submit
memory/2232-14-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2232-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2232-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2656-24-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-28-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-18-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-20-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-22-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-8-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-26-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-16-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-30-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-32-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-34-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-36-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-38-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-40-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2656-42-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing