715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f

General

Target

715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe
Size

841KB
MD5

4a667433343828c12e9c5679f707db74
SHA1

1ef28cff2d80369bece4b28b88beaf52342cc62a
SHA256

715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f
SHA512

c03b335895ac4a0ae9825000c4ef9d73f67e0a9475556567fdfe547ab9f03fbfa9c63a1a4db8b3cf89ddfa36b8db37d178fd3bfa3c5945519e20ef06493690b9
SSDEEP

24576:muS04YNEMuExDiU6E5R9s8xY/2l/df6Ibt+rH:mq4auS+UjfU2Tf6Ibt+r

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2868	WindowsInput.exe

Loads dropped DLL 1 IoCs

pid	Process
2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe
File opened for modification	C:\Windows\SysWOW64\WindowsInput.InstallLog	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3008	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3008	AcroRd32.exe
3008	AcroRd32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2868	2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe	32
PID 2700 wrote to memory of 2868	2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe	32
PID 2700 wrote to memory of 2868	2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe	32
PID 2700 wrote to memory of 2868	2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe	32
PID 2700 wrote to memory of 1256	2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe	33
PID 2700 wrote to memory of 1256	2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe	33
PID 2700 wrote to memory of 1256	2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe	33
PID 2700 wrote to memory of 1256	2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe	33
PID 2700 wrote to memory of 1256	2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe	33
PID 2700 wrote to memory of 1256	2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe	33
PID 2700 wrote to memory of 1256	2700	715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe	33
PID 1256 wrote to memory of 3008	1256	rundll32.exe	34
PID 1256 wrote to memory of 3008	1256	rundll32.exe	34
PID 1256 wrote to memory of 3008	1256	rundll32.exe	34
PID 1256 wrote to memory of 3008	1256	rundll32.exe	34

C:\Users\Admin\AppData\Local\Temp\715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe
"C:\Users\Admin\AppData\Local\Temp\715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2868
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows.old\WINDOWS
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows.old\WINDOWS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
69339aa2b7229574a0219592f5968bc3

SHA1
1d1b4c2fc4bfa8014922c4c33925631ef1e04e9b

SHA256
c6a8a5db9fb43c31bdeae1176aeac3f56d6bad630f59469b95e9655048928b8f

SHA512
9030704300c8214c6a8b1863abdcd9bae5bb558c884521ba192368b4cf2956d4072f1e6d7a52b5981753648a16284b3fa40ef9263d9a6d13e8ebaf2f28a41d11

Download Submit
C:\Windows.old\WINDOWS

Filesize
841KB

MD5
4a667433343828c12e9c5679f707db74

SHA1
1ef28cff2d80369bece4b28b88beaf52342cc62a

SHA256
715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f

SHA512
c03b335895ac4a0ae9825000c4ef9d73f67e0a9475556567fdfe547ab9f03fbfa9c63a1a4db8b3cf89ddfa36b8db37d178fd3bfa3c5945519e20ef06493690b9

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
224B

MD5
e469dda91ae810a1f94c96060f3f8a65

SHA1
0b4b3b0f6f937016b1e045ce5313ee2a65a38630

SHA256
d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842

SHA512
2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
597B

MD5
c2291863df7c2d3038ce3c22fa276506

SHA1
7b7d2bc07a6c35523807342c747c9b6a19f3184e

SHA256
14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

SHA512
00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e854a4636afc652b320e12e50ba4080e

SHA1
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

SHA256
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

SHA512
30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

Download Submit
memory/2700-1-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-2-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-0-0x0000000074E71000-0x0000000074E72000-memory.dmp

Filesize
4KB

Download
memory/2700-42-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2868-20-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-36-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-23-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-9-0x000007FEF672E000-0x000007FEF672F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing