a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01cc

General

Target

a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe
Size

152KB
MD5

31f3867cfc5cc34e70281f1f630edbb0
SHA1

3c4ff21af64d5156f75499f4308a463405ccb08a
SHA256

a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01cc
SHA512

f1e746cc87b254fe7f9b16ee19f309baddefb59fed4d01063fb5e273e33deaa9175983d8b954bf22d5f4620631d228f50c7ed617ca9a62d8b1789369e347e836
SSDEEP

1536:a6myQm5x9jSp42U/35fK6q+vMoGMaK9aWLwbOB0QQiz:fn3Wy2w5fK6tvFt9aW+Ozfz

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2104 set thread context of 2796	2104	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1068	3452	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3452	winver.exe
3452	winver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3452	winver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2104	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3432	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2796	2104	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	87
PID 2104 wrote to memory of 2796	2104	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	87
PID 2104 wrote to memory of 2796	2104	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	87
PID 2104 wrote to memory of 2796	2104	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	87
PID 2104 wrote to memory of 2796	2104	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	87
PID 2104 wrote to memory of 2796	2104	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	87
PID 2104 wrote to memory of 2796	2104	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	87
PID 2796 wrote to memory of 3452	2796	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	88
PID 2796 wrote to memory of 3452	2796	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	88
PID 2796 wrote to memory of 3452	2796	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	88
PID 2796 wrote to memory of 3452	2796	a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe	88
PID 3452 wrote to memory of 3432	3452	winver.exe	56
PID 3452 wrote to memory of 2900	3452	winver.exe	50

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2900

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3432
- C:\Users\Admin\AppData\Local\Temp\a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe
  "C:\Users\Admin\AppData\Local\Temp\a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe
    "C:\Users\Admin\AppData\Local\Temp\a87231d678ab6489f9aab44a568fe454c8ec0eaafb94b5e1d5a8f82b167a01ccN.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\winver.exe
      winver
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 636
        5⤵
        Program crash
        
        PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3452 -ip 3452
1⤵
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2796-2-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2900-13-0x0000000000570000-0x0000000000577000-memory.dmp

Filesize
28KB

Download
memory/2900-14-0x0000000000570000-0x0000000000577000-memory.dmp

Filesize
28KB

Download
memory/2900-18-0x00007FFC460F0000-0x00007FFC460F1000-memory.dmp

Filesize
4KB

Download
memory/3432-10-0x00007FFC45F6D000-0x00007FFC45F6E000-memory.dmp

Filesize
4KB

Download
memory/3432-9-0x0000000001F80000-0x0000000001F87000-memory.dmp

Filesize
28KB

Download
memory/3432-3-0x0000000001F80000-0x0000000001F87000-memory.dmp

Filesize
28KB

Download
memory/3452-4-0x0000000000940000-0x0000000000947000-memory.dmp

Filesize
28KB

Download
memory/3452-8-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/3452-7-0x0000000000E51000-0x0000000000E52000-memory.dmp

Filesize
4KB

Download
memory/3452-15-0x0000000000940000-0x0000000000947000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing