7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970

General

Target

7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe
Size

5.1MB
MD5

f3a3332b13baa50c41644b86efdf0fe4
SHA1

f3b91aa55b8dce62cb614e2a43d8e3973b1d47b6
SHA256

7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970
SHA512

46808e4d79d0d1fbe2835456daf31e0de9e8f296b7863f38400eaa03fbf33be450f92df16f9b77ac5bb95aa33a97d484c1c678891c6e13b151f9cb7865c99be7
SSDEEP

98304:EH//4Q0gBDcLaUgZLGTVCfjemnYMjgfRQ14dewsjdis7xGC4tIf/Yapu5koUe:0BD4aUgZLhj3gZj67xHRnFpu5kPe

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2636	7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe
2636	7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\traveskoen.ini	7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	2636	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2504	2636	7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe	30
PID 2636 wrote to memory of 2504	2636	7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe	30
PID 2636 wrote to memory of 2504	2636	7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe	30
PID 2636 wrote to memory of 2504	2636	7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe	30

C:\Users\Admin\AppData\Local\Temp\7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe
"C:\Users\Admin\AppData\Local\Temp\7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 28
  2⤵
  - Program crash
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd5AC0.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5B01.tmp

Filesize
56B

MD5
2b322a53d90a2271fff01bf0834a5fd9

SHA1
da3fb0f558c75c2fe3d0bd7c9c19705b72b57d3d

SHA256
c30c98b13bb40861ba5b1cd08cc1018d11c0e9b0c95716a8a0d7b8e0b863ceb9

SHA512
f0b775fef5150a7824fe25320f0fb1c383bafc1af7ac79e2e3cc7e791d4f296c44755a5a56bd4dfeef8d0c9f913b5f9cf5b4ad8487fdc1163df82050ee64521b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5AD1.tmp

Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5AD1.tmp

Filesize
15B

MD5
03789c00a9fe96c420d84fe30cbd902c

SHA1
c3e589ccd78b4e000d7d294a0d308dfd385a1f43

SHA256
b157a4d58f55726c15605ad776c9c961b28e1ce295d3ebcbad6ac80e5f2c9503

SHA512
16b8866f73666e76b5fd8e04d362a9907accee835e2814197829a06b6f8442ca2ac6aef98960afcaedf64ad403e53374eb59746716dd5b4257d26d4ebfff72a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5AD1.tmp

Filesize
60B

MD5
57fcc15efb7333330e4ce43a197a823f

SHA1
66bd1a4b000cf26b6e568cacdda0e9f88c28f899

SHA256
30a71bbb38285baea3079d8868ee88c97c988727e3a139528fc153291328e394

SHA512
c1b9fda9ba474f6ff65a37656c8cddf072556a2eef653dd043fe1e3ae89e1ae8311aa0433bbb5c989912edbb21c85ed70f6866ab6957c83b88a085ccc4ae0316

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B21.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5A9F.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
\Users\Admin\AppData\Local\Temp\nso5AB0.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/2636-584-0x0000000003AE0000-0x0000000005174000-memory.dmp

Filesize
22.6MB

Download
memory/2636-585-0x0000000003AE0000-0x0000000005174000-memory.dmp

Filesize
22.6MB

Download

Analysis

Sharing