b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77

General

Target

b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe
Size

7.7MB
MD5

d236cf2a197fb1842ac93758ffd45a8e
SHA1

4d79e92d4e0a1f50017783d7f54f6578eb3b6465
SHA256

b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77
SHA512

f32a45c41a78e017fdf31006c18bf2a80d48376af630716aa44862d1a917e3429d88d955b6d72d894db53e8b082e2179fed20729713746a2b4bb48e6683e70c3
SSDEEP

98304:jgcCamHZHf3DjoKMPyBCflfPNUqfgJBAUZLP:V+vDjCyQfTfgJV7

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
292	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
292	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
292	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
292	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe
292	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe
292	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe
292	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe
292	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe
292	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe
292	b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe

C:\Users\Admin\AppData\Local\Temp\b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe
"C:\Users\Admin\AppData\Local\Temp\b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.exe

Filesize
7.7MB

MD5
506c9daa95c0551791a2ce0a5578e195

SHA1
6c1f42c601b8ed0ceeb408835dfd54bc4ac804b4

SHA256
f4ebab96ef63bfaefc88fae1290f5635748b731837eaf43f207a3ddc161b31f5

SHA512
301f839beeb868446294d217f27bca66058ac6c9075e56ac9da816a3096adeee369abcf0edd5a35d995ab5fde608aecc2bc1e0a7dfe5bb14f1d4ffde5303fba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b925da2aeadc3920a482ccfb2570e2d3d8b7932627397951453f42e2afc58f77.ini

Filesize
13B

MD5
a716dadb0878cf8cbab24d6a642f3e15

SHA1
1b1b68bec54393332cc26d991a075fd0b3265482

SHA256
19ef0c410939ca49791433f7d921551d139b0403873d73123916ef98ed12bdd3

SHA512
063fae271655ba8e42ac2451b1f543704a473c7fd04f64cf31862810673d8448ee65546272cc7c5dd6e9fc34b786ee8c60d4f79b2260a0971274574cc3bdda01

Download Submit
memory/292-49-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-47-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-7-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-8-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-9-0x00000000036F0000-0x00000000036F2000-memory.dmp

Filesize
8KB

Download
memory/292-5-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-3-0x00000000007B7000-0x00000000007B8000-memory.dmp

Filesize
4KB

Download
memory/292-51-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-50-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-48-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-6-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-0-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-42-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-52-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-53-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-54-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-55-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-56-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-57-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-58-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-59-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-60-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/292-61-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing