28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda

General

Target

28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe
Size

11.4MB
MD5

57c1ebf5e18964c6323b180ff8fa26fd
SHA1

bceedaeb57adf1cbe11027aade3ddffc70ad07f9
SHA256

28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda
SHA512

b06a5e0c094669b7ae7ed82540fd3e2cd5edfada36a2525cd98da3d100b532e678e80a837a0f114a4bf4c3e7ed3277b9e10878cac9b5293862d8f725daed63bc
SSDEEP

196608:c694QeYehmAv8JLWtHkhqZV8fm2nuXPkBh3DXMpeFs2VIFuYHZ1a9bVi/Qe:cEd2p0xhgZiefs/DXnsBuYHZsbgo

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1664	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe
1664	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe
1664	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe
1664	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe
1664	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe
1664	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe
1664	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1664	2460	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe	31
PID 2460 wrote to memory of 1664	2460	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe	31
PID 2460 wrote to memory of 1664	2460	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe	31
PID 2460 wrote to memory of 1664	2460	28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe	31

C:\Users\Admin\AppData\Local\Temp\28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe
"C:\Users\Admin\AppData\Local\Temp\28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe
  "C:\Users\Admin\AppData\Local\Temp\28dac78fdc3c9bbf29420476129dd4fb8da8a39de4ffea5a25b1ca973702ceda.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI24602\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
395d39f6ec3e09c5194899434150cdf7

SHA1
abd262b486e1adc39b40dbfe012a551c732dfd69

SHA256
ecc40b2c80300b94615b450d5a97ed15ce51aa929c73da22c906ab01856f8223

SHA512
0f55725eb8609ae52c45ff7e255c3e23bff0b9e049f2f37cb4fc12841ad9f5ed8264307961cbd27031997c29ce04677b646f9c859fc629b25186ec52f735ba36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
b178f49844a5168d29d5cce20a6303e3

SHA1
29dd5bd890addbba1d8a9aeacb68716f8208da73

SHA256
9358400795afcc41f5e748e20b139cfbb1ac976b3e460597b0b21893d647276d

SHA512
b65308d482342291069314e9f99964c3479ea41579db17d3cbe3888318bb7605ee67c11a40f14609665a419f44a61809513bddb8b3657b24a4bac16bb274664f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
da1c671169dd183afca9ac76f46fd86e

SHA1
47a1bd0c45d5b87351870b8dd2122da30638ec83

SHA256
e5c2478571ab260776b547579acd847bdecac9b4b9b4590d4ac7c80135c68930

SHA512
5e6eb5525a77ac63bbae2288fecfd5712aff5c194e55d93239ae6171b8602de9d029ca725f15efb03890dff57a34c07435687e87a20839d614cc9c90fdf06f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\python313.dll

Filesize
5.2MB

MD5
dc6074b771be023a809d80981e4900c6

SHA1
8988c755c48d85b5c5da5574f72528d21e86178d

SHA256
b305c2c7ab2f10f92f1a99cae60b669d16298e2c168ee0faf530b7fb3ba1258a

SHA512
3ab4afc07dc11d4456eaca91fcd725548557b5e33e4bfc27cd0a38c6b1cfafcf90803876b191c9d634fcb79202e347d563918689984c6ddae8ecb8dc88df0024

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\ucrtbase.dll

Filesize
1.1MB

MD5
d4cf3fd5e8ee95431cfea69fa84ae57d

SHA1
80f5188570001e4fd5fdad9cbf38479dd4edd255

SHA256
71358d729b01bdf38dbe5440705ea68ea9225f93c834f45c5687b0ea2b417c4e

SHA512
a30488c43ca41ed36ee2917fe8e7a5280e0565859f719a1f709b13c18c3398f323c8ef24608e8f696214d9fe882c32b1a8686800490ca781196810220b30d43b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24602\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
f2cd3227975bd33ae08e34221d223ca6

SHA1
26b19fd814ea86825244e7a7cf82e7eddc189895

SHA256
f88209bb4993bfbcfc9727d101a4f1ecf84649ca5fd15b264faac11daf19ac7f

SHA512
690408ba6d88ad97334a8f9012c5db5c4d46d70cd9519f1d8e9131d1044805dce992d89167ef12d0192f4e5ab079722b88700df9601c05674267fc4f8d5486e3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24602\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
c54a336fdc425291b1d972f6fbaca6c7

SHA1
ea3872c198f3f41e41dcc42cf92aabbc6540579d

SHA256
8d1f5410f8b4326876410b45fcdcabb96bea4941f71ea5b11cb6dae80e6bdd49

SHA512
abe7694493ce2e367582be1155fb5100a7840e67eb1f646dbd5360a47b430ec03634a3f1a940a8a5f555d96da0fdab66a4a2de544b847234e38b588cf597e0e9

Download Submit

Analysis

Sharing