e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1

General

Target

e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe
Size

416KB
MD5

f1697797bf4abf64ec6706dd10119250
SHA1

4e2830e9ee685e7835a0978a177be37314b7d9d1
SHA256

e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1
SHA512

43531078e65b02e39bf7d923113acf8ee003ae397a4f3dd076a540bb81a3b93ae50690d3b7fad330af0faf3388cff5a422be4515ff902c211a8c93cc6b9c8e96
SSDEEP

6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RU7K:ITNYrnE3bm/CiejewY5vZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ximo2ubzn1i.exe

pid process

1924 ximo2ubzn1i.exe
Loads dropped DLL 1 IoCs

Processes:

e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe

pid process

1644 e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe

pid	process
1924	ximo2ubzn1i.exe

pid	process
1644	e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\c5e4gxfvd4v = "C:\\Users\\Admin\\AppData\\Roaming\\c5e4gxfvd4v\\ximo2ubzn1i.exe"	e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exeximo2ubzn1i.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ximo2ubzn1i.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exeximo2ubzn1i.exe

description	pid	process	target process
PID 1644 wrote to memory of 1924	1644	e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe	ximo2ubzn1i.exe
PID 1644 wrote to memory of 1924	1644	e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe	ximo2ubzn1i.exe
PID 1644 wrote to memory of 1924	1644	e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe	ximo2ubzn1i.exe
PID 1644 wrote to memory of 1924	1644	e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe	ximo2ubzn1i.exe
PID 1924 wrote to memory of 2948	1924	ximo2ubzn1i.exe	regasm.exe
PID 1924 wrote to memory of 2948	1924	ximo2ubzn1i.exe	regasm.exe
PID 1924 wrote to memory of 2948	1924	ximo2ubzn1i.exe	regasm.exe
PID 1924 wrote to memory of 2948	1924	ximo2ubzn1i.exe	regasm.exe
PID 1924 wrote to memory of 2948	1924	ximo2ubzn1i.exe	regasm.exe
PID 1924 wrote to memory of 2948	1924	ximo2ubzn1i.exe	regasm.exe
PID 1924 wrote to memory of 2948	1924	ximo2ubzn1i.exe	regasm.exe

C:\Users\Admin\AppData\Local\Temp\e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe
"C:\Users\Admin\AppData\Local\Temp\e9f8fee885f2a262dcd4a874dd2cb724ea584704d182f1759ae2c455c48653e1N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
  "C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe

Filesize
416KB

MD5
3871811755fdc0b7e96ef6301cbc7587

SHA1
11a9e86f4d8b7a3daec55a7a493f95ac753743af

SHA256
72e6da3052910c1a73482b1856f759145a3c7f66f23ce9ed2c4ab1f4713b1d24

SHA512
d5a3eedea183619cb9a5560d7b4d7ce0932fb3869ea48ff2aa8ebff067e46f3957190839947b06ef4c9bc3f7853a8b5d4770553c426577042739854ff706f967

Download Submit
memory/1644-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/1644-1-0x0000000000D20000-0x0000000000D8E000-memory.dmp

Filesize
440KB

Download
memory/1644-2-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/1644-3-0x0000000000810000-0x000000000084C000-memory.dmp

Filesize
240KB

Download
memory/1644-12-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/1924-13-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/1924-14-0x0000000001240000-0x00000000012AE000-memory.dmp

Filesize
440KB

Download
memory/1924-15-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/1924-16-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/1924-17-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads