1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26

General

Target

1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
Size

14KB
MD5

2906e9954d3a92a8ef1775fa5e3c2580
SHA1

eed8ecc850cb2f9f7200f765e4789897a5c12fbd
SHA256

1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26
SHA512

09c9ef9fda2f3b5850344d06c4eaf12abea8db44d26531acce526d2694e8149723adbfc9e5de8ded896a56e05bb65c73223d5b153d1193813e7b25802cc787b1
SSDEEP

384:FhM8ifXjqMmzP2o9U25j7AkFI/E8mkvha1H94Ni4bhG:FhMr78it25q/EF1H9D49G

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2992	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2992	cmd.exe
1884	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1884	PING.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1900	2432	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	28
PID 2432 wrote to memory of 1900	2432	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	28
PID 2432 wrote to memory of 1900	2432	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	28
PID 2432 wrote to memory of 1900	2432	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	28
PID 1900 wrote to memory of 2964	1900	csc.exe	30
PID 1900 wrote to memory of 2964	1900	csc.exe	30
PID 1900 wrote to memory of 2964	1900	csc.exe	30
PID 1900 wrote to memory of 2964	1900	csc.exe	30
PID 2432 wrote to memory of 2992	2432	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	31
PID 2432 wrote to memory of 2992	2432	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	31
PID 2432 wrote to memory of 2992	2432	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	31
PID 2432 wrote to memory of 2992	2432	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	31
PID 2992 wrote to memory of 1884	2992	cmd.exe	33
PID 2992 wrote to memory of 1884	2992	cmd.exe	33
PID 2992 wrote to memory of 1884	2992	cmd.exe	33
PID 2992 wrote to memory of 1884	2992	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
"C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mrownrkv\mrownrkv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB616.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E288778C5CA4DA9AE8BF229C223A721.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe" & move "객갪갂갚객.exe" "C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB616.tmp

Filesize
1KB

MD5
1921e997132ac3e4b26a63d37c0521db

SHA1
baa3c99f66036c53fe1e9629cf2fea8f6ee9afa8

SHA256
4003de5a67f1bf01781b09f7f263150127cddf7af20b095d58a29aaa9075653e

SHA512
39aefadfbe57985ebd187e85d01e43543a37f7a600b80b8eed34c33fc56cdfb860e5ac149eb489e3e106f6806d0d1fa250b33251ef4ec2ce92aaaa83ec691d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\객갪갂갚객.exe

Filesize
14KB

MD5
443e060b8e33e5d2ee663c690637ac72

SHA1
82e2fe71344f306ff798bfd8a43102f8d3acd0cb

SHA256
d81f5d89443235a415bb8e6e46b2d657739cc3bdf7312d73da73e3d76d98e51c

SHA512
11283da3526fcf5ba90176a2307dc04cfe412a52eee5bd55f79b0685372c3a3e3578eaff95b663821b1af81406ed5ba766ab1cb7d1815b67cb2f888cbd3abcf0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9E288778C5CA4DA9AE8BF229C223A721.TMP

Filesize
1KB

MD5
f12174e88035d2bd8b43323380b796d2

SHA1
529b802a100fc6ccda2c9a68d3c78dead90a1e26

SHA256
2779ec07488379c0f55509d077a25159896d51a9a30578e8df6333dbc625f1df

SHA512
7c71165f473f8fa1c21bf59ac558676edad8a380ee08680235969fcdb7c47a2ec70b9eb8fb2f411f8c7cfac361346d2976082455deb944a5dc17dcef942d2096

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mrownrkv\mrownrkv.0.cs

Filesize
24KB

MD5
e8428e274e1a83658b147771a6bdde45

SHA1
8e5f44e3a7f5344a2be7e08334bce584dcefb306

SHA256
c24088f91834cd4205c861007a8b6f70b7545f56047c459293605bcd032b3394

SHA512
00ba0e45b43cdfb00db2547ecfe4a3f8d25adc530fdfcec9355ae9f9a76d3380893013a639c34fe8b70654c6c479fd99a5141850b0428fff11c8a4941ff5202e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mrownrkv\mrownrkv.cmdline

Filesize
275B

MD5
bcd9cb0febc64451c04aaefe0ff92e8f

SHA1
544e2fd3e6cf1cb8b769228ef151d68d150a418f

SHA256
6c459d14efebdc6c792da6789b74a8cfc58ac78c4628b163742c449a090bc051

SHA512
4ee1a46aa6f5cec9d24a364164e3cebca294ad62c8fd0df822ca69b2cfc131994ccbcaf9a3d54435e504e893dd4e34230e4f1650b170e49648956ba4532e3063

Download Submit
memory/2432-0-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2432-2-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2432-3-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2432-16-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2432-20-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads